Nidelven IT - All about Python, Zope & Plone - and Open Source!

Here you'll find issues related to our services. Mostly about Python, Zope and Plone, as well as hosting-related issues.

"Keeping IT real"

Older entries

Atom - Subscribe - Categories

Paid Support simplified and reduced

Hi. We've updated the Paid Support package so that it has less services included, as a part of our work to simplify and strengthen our services.

[Permalink] [By morphex] [Zope instance management (Atom feed)] [19 Mar 08:26 GMT+2]

Multiple vulnerabilities discovered in Zope/Plone

There has been multiple vulnerabilities discovered in Zope/Plone. The link to the relevant page on is here:

We encourage *all* our customers who use Plone to install this fix. We will in the week to come install this fix for all our Paid support, Company Online and Managed Server customers, but we recommend all customers to install this patch now, if they are able to.

[2011-06-11] Looks like patching will take longer than a week, we'll be patching instances as we go along. We believe the exploits are not that severe for the remainder of our customers (a specific segment with specific characteristics).

[Permalink] [By morphex] [Zope instance management (Atom feed)] [04 Jun 11:51 GMT+2]

DoS discovered in Zope PAS

A Denial-of-Service has been discovered in Zope's PAS module:

Where a logged-in user can change their username to someone else's and by doing so, deny the user with the other username authenticated access.

We don't see this bug being serious enough to warrant a patch as it isn't a privilege escalation, and we also believe it would affect a small share of our hosting customers.

[Permalink] [By morphex] [Zope instance management (Atom feed)] [31 May 07:25 GMT+2]

Some information about the upcoming Plone patch

If you can't login to your site, please see:

[Permalink] [By morphex] [Zope instance management (Atom feed)] [07 Feb 14:10 GMT+2]

Update on mitigation procedure

It has been decided that we will disable logins for all our customers, including Zope-only customers.

We're doing this because it is the best way we can handle the problem, and it is a quick fix to switch the sites back to handling logins again.

But we strongly recommend you take the appropriate measures such as installing a hotfix for Plone before enabling logins again.

[Permalink] [By morphex] [Plone vulnerability (privilege escalation) (Atom feed)] [02 Feb 15:42 GMT+2]

Plone vulnerability (privilege escalation)

We have become aware of a problem related to Plone and its security system, which is posted here:

We are considering options and working towards a safe solutions for all our customers, primarily those who have paid support or other security update agreements, and then those who do not.

We think disabling logins is the right way to go about it, but we will discuss this internally, make some decisions and then see what we will do about the problem.

[Permalink] [By morphex] [Zope instance management (Atom feed)] [02 Feb 06:44 GMT+2]

Plone HTML injection vulnerability

There has been discovered an HTML injection vulnerability in Plone:

We're working to update our Paid support, Shared, Company Online and Managed customers now.

Thank you for using our services, we're happy to help.

[Permalink] [By morphex] [Zope instance management (Atom feed)] [19 Jun 19:42 GMT+2]

Notice of database packing

We want to notify our customers for clarity's sake, that we weekly pack the Zope instances' databases, so that at most 7 days of undo information is available.

[Permalink] [By morphex] [Zope instance management (Atom feed)] [20 Jan 14:02 GMT+2]

New security bugs for Python

There has been reported a number of security bugs for Python. When the relevant patches are available, we will upgrade the Python interpreter gratis (for free) for those customers who have Paid Support.

For regular customers, we will make a newer (patched) version of the interpreter available, so that customers can themselves upgrade the instance. For those customers who don't have Paid Support, we can upgrade the instance and move to a newer version of Python, consulting 1.5 hours in the process. Our consulting rates are here:

More information about the vulnerability is here:

[Permalink] [By morphex] [Zope instance management (Atom feed)] [21 Nov 07:14 GMT+2]

Zope hotfix 2008-08-12

There is a security issue in Zope:

where users with access to adding or editing a Python Script can cause a shutdown or denial of service.

Please install the following Hotfix for Zope versions Zope 2.7.0 to Zope 2.11.2 (earlier releases of Zope aren't tested with the Hotfix, even if the Zope release might be affected).

Paid support customers will be upgraded automatically.

[Later..] This hotfix can break Plone sites, so we recommend getting the latest version from SVN if you're installing it yourselves.

[Permalink] [By morphex] [Zope instance management (Atom feed)] [14 Aug 21:38 GMT+2]

Plone hotfix 2008-0164

Is it possible to perform CSRF attacks on Plone sites with version less than 3.1. We recommend installing the Hotfix if you have a Plone 3.0 site. Plone 3.1 sites and newer are not affected by this exploit.

Sites older than Plone 3 (2.5, 2.0, 1.0 and so on) won't be able to make use of the hotfix; for those we recommend following the temporary workarounds listed on the Hotfix announcement:

We'll be installing the Hotfix for paid support customers where applicable (Plone 3.0 sites).

We are working on a solution for older Plone sites as well, which should give fairly good protection against these kinds of attacks.

Paid support customers with old Plone sites will get this fix we develop installed for free, and other customers will be able to get the fix installed for their site for 1 consulting hour.

[Permalink] [By morphex] [Zope instance management (Atom feed)] [15 May 20:55 GMT+2]

Updates for Plone Hotfix 2007-11-06

It has come to our attention that the Plone Hotfix 2007-11-06 which fixes some security issues also introduces some new bugs.

All users running Plone 2.5.0 up to (and including) Plone 2.5.4, and Plone 3.0.0 up to (and including) 3.0.2 are enouraged to upgrade the Hotfix to version 2, as found here:

Paid support customers will be upgraded automatically.

[Permalink] [By morphex] [Plone Hotfix 2007-11-06 (Atom feed)] [28 Jan 15:15 GMT+2]

Plone Hotfix 2007-11-06

A new hotfix is available for users of Plone 2.5 and 3.0, see here

We've installed this hotfix for all customers with the Paid support plan, as well as Standard customers and BO customers.

It is strongly recommended that those of you who are not on these plans install the Hotfix as well, if you're running Plone 2.5.x or Plone 3.0.x.

[Later..] Due to the severity of this bug, we're installing this Hotfix for all customers that might be affected free of charge.

[Permalink] [By morphex] [Zope instance management (Atom feed)] [06 Nov 13:36 GMT+2]

Plone Hotfix 2006-10-31

We've installed the Plone Hotfix for all customers on the Paid support plan, as well as for all shared customers on shared 3.

If you're running Plone 2.5.x on your own instance, it is recommended that you install the Hotfix as well.

[Permalink] [By morphex] [Zope instance management (Atom feed)] [03 Nov 11:54 GMT+2]

Plone compromised in SPAM scheme

Due to Plone being compromised in a new SPAM scheme, we recommend that all our customers upgrade to version 2.1.4 or 2.5.1 of Plone.

We have taken measures to make sure our shared (Standard) customers won't be affected by this situtation.

If you need assistance upgrading your site, contact us and we can arrange something.

For more information, see

[Permalink] [By morphex] [Zope instance management (Atom feed)] [13 Sep 10:42 GMT+2]

Now offering Plone 2.1

Since Plone 2.1 has been officially released, we're now offering to setup Zope instances with Plone 2.0.5 or Plone 2.1 installed.

Plone 2.1 contains a number of improvements, so we recommend new customers to install it instead of 2.0.5 unless they rely on products that only run on Plone 2.0.5.

[Permalink] [By morphex] [Zope instance management (Atom feed)] [09 Sep 13:38 GMT+2]

New service for Plus and Webmaster customers

This week we'll be implementing a new service for our Zope Instance customers where the Zope database will be packed automatically every week, purging changes older than one week.

It's a service that will be on by default, so if you don't want it, let me know. It used to be a part of the paid support package, but we figured it would be a good idea to move into regular support.

Paid support will instead get some new features, which we will get back to at a later date.

[Permalink] [By morphex] [Zope instance management (Atom feed)] [06 Sep 11:51 GMT+2]

Zope restarts for excess memory use

We've increased the frequency for checking how much memory a Zope instance uses (to every 120 minutes instead of 180) so that instances that frequently use too much memory may want to purchase additional blocks to avoid restarts.

[Permalink] [By morphex] [Zope instance management (Atom feed)] [22 Jun 14:11 GMT+2]