Zope Changelog

New in version 2.13.19

November 1st, 2012
  • Updated distributions:
  • AccessControl = 2.13.12
  • distribute = 0.6.29
  • mr.developer = 1.22
  • pytz = 2012g
  • repoze.retry = 1.2
  • repoze.tm2 = 1.0
  • tempstorage = 2.12.2
  • LP #1071067: Use a stronger random number generator and a constant time comparison function.
  • LP #1061247: Fix ZMI properties edit form for properties named method.
  • LP #1058049: Fix support for zoperunner section in zope.conf.
  • Explicitly close all databases on shutdown, which ensures Data.fs.index gets written to the file system.
  • LP #930812: Scrub headers a bit more.
  • Fix lock and pid file handling on Windows. On other platforms starting Zope tolerated existing or locked files, this now also works on Windows.

New in version 2.13.18 (September 26th, 2012)

  • Explicitly declared ZTUtils APIs as public (repairs breakages in apps following fix for LP #1047318).

New in version 2.13.14 (June 1st, 2012)

  • LP #950689: Fix HTTPS detection under mod_wsgi.
  • LP #975039: Don't translate interface names in edit_markers ZMI view.
  • LP #838978: Fixed TypeError in cache_detail ZMI view.
  • Cleanup lock and pid files if the process dies early in startup.
  • Added PubStart, PubBeforeCommit and PubAfterTraversal events to the WSGI publisher.
  • ZPublisher: Fixed a traversal regression introduced in 2.13.12.
  • Updated to Zope Toolkit 1.0.7.
  • Updated distributions:
  • Products.ZCatalog = 2.13.23

New in version 2.13.13 (February 26th, 2012)

  • LP #933307: Fixed ++skin++ namespace handling. Ported the shiftNameToApplication implementation from zope.publisher to ZPublisher.HTTPRequest.HTTPRequest.
  • Ensure that ObjectManager's get and __getitem__ methods return only "items" (no attributes / methods from the class or from acquisition). Thanks to Richard Mitchell at Netsight for the report.
  • Updated to Zope Toolkit 1.0.6.
  • Removed HTML tags from exception text of Unauthorized exception because these tags get escaped since CVE-2010-1104 (see 2.13.12) got fixed.

New in version 2.12.23 (February 26th, 2012)

  • Note end-of-life timeline: Zope 2.12.x is now in security-fix-only mode and will continue to see security updates until October 2013, the same as Python 2.6.x does.
  • Ensure that ObjectManager's get and __getitem__ methods return only "items" (no attributes / methods from the class or from acquisition). Thanks to Richard Mitchell at Netsight for the report.
  • Updated distributions:
  • distribute = 0.6.24
  • Products.ZSQLMethods = 2.13.4
  • zope.catalog = 3.8.2
  • zope.componentvocabulary = 1.0.1
  • zope.datetime = 3.4.1
  • zope.deprecation = 3.4.1
  • zope.documenttemplate = 3.4.3
  • zope.index = 3.6.3
  • zope.keyreference = 3.6.4
  • zope.mkzeoinstance = 3.9.5
  • zope.session = 3.9.5
  • zope.testing = 3.9.7

New in version 2.13.11 (December 14th, 2011)

  • Turn UndoSupport.get_request_var_or_attr helper into a private API.
  • LP #902068: Fixed missing security declaration for ObjectManager class.
  • Avoid conflicting signal registrations when run under mod_wsgi. Allows the use of WSGIRestrictSignal Off (LP #681853).
  • Make it possible to use WSGI without repoze.who.
  • Fixed serious authentication vulnerability in stock configuration.
  • Updated distributions:
  • AccessControl = 2.13.7
  • DocumentTemplate = 2.13.2
  • Products.BTreeFolder2 = 2.13.4
  • python-gettext = 1.2
  • repoze.who = 2.0
  • ZODB3 = 3.10.5
  • Zope Toolkit 1.0.5

New in version 2.13.10 (October 4th, 2011)

  • Fixed serious arbitrary code execution issue (CVE 2011-3587) http://zope2.zope.org/news/security-vulnerability-announcement-cve-2011-3587
  • Fixed a regression of 2.13.9 in webdav support that broke external editor feature.
  • undoMultiple was still broken as transactions were not undone in the proper order : tids were stored and retrieved as dictionary keys.
  • Updated distributions:
  • Products.ZCatalog = 2.13.20

New in version 2.13.9 (August 23rd, 2011)

  • Restore ability to undo multiple transactions from the ZMI by using the undoMultiple API. Backported from trunk (r122087).
  • Fixed Chameleon compatibility in templates.
  • Updated distributions:
  • Products.ZCatalog = 2.13.19
  • Products.ZCTextIndex = 2.13.3
  • repoze.tm2 = 1.0b2
  • Zope Toolkit 1.0.4

New in version 2.13.7 (May 9th, 2011)

  • Added forward compatibility with DateTime 3.
  • ZPublisher: HTTPResponse.appendHeader now keeps header values to a single line by default to avoid causing problems for proxy servers which do not correctly handle multi-line headers.
  • Updated distributions:
  • Products.ZCatalog = 2.13.13
  • Products.ZCTextIndex = 2.13.2