Personal tools
You are here: Home Blog Security issue in Grok: please upgrade!

Security issue in Grok: please upgrade!

December 12, 2008. The Grok team encountered a serious security issue that exposes Grok installations to attacks that erase data as well as remote denial of service attacks. We strongly urge people to upgrade to newer versions of Grok immediately. We have supplied new bug fix releases of Grok for Grok 0.11 up to the recent release, Grok 0.14.

Only projects that use Grok directly are affected by this security issue. If your Zope 3 project uses the grokcore.* libraries or if you use five.grok on Zope 2, there is no security problem.

How to upgrade Grok? We give instructions that you can apply in your Grok projects. Please run buildout after making the changes - this will download the fixed version of Grok. After this restart your server!

The upgrade instructions assume two possible installation methods:

  • Old versions of grokproject generated projects that only include the extends= line in buildout.cfg, and updating that line to point to a newer version of Grok is sufficient.
  • Newer versions of grokproject create projects that require you to modify versions.cfg. There is also a line pointing to a Grok version in the eggbasket section in buildout.cfg. While this a download optimization only, we still recommend you update that line as well.

Grok 0.14: upgrade to Grok 0.14.1

In the file versions.cfg change the line:

grok = 0.14

to this:

grok = 0.14.1

If you have no versions.cfg, go to your projects buildout.cfg and adjust this line:

extends = http://grok.zope.org/releaseinfo/grok-0.14.cfg

to this:

extends = http://grok.zope.org/releaseinfo/grok-0.14.1.cfg

While not strictly required, we also recommend you modify the following line in the [eggbasket] section (if present):

url = http://grok.zope.org/releaseinfo/grok-eggs-0.14.tgz

to:

url = http://grok.zope.org/releaseinfo/grok-eggs-0.14.1.tgz

After this change, run buildout and restart the server.

This version should work properly with Python 2.4 and Python 2.5.

Grok 0.13: upgrade to Grok 0.13.1

In the file versions.cfg change the line:

grok = 0.13

to this:

grok = 0.13.1

If you have no versions.cfg, go to your projects buildout.cfg and adjust this line:

extends = http://grok.zope.org/releaseinfo/grok-0.13.cfg

to this:

extends = http://grok.zope.org/releaseinfo/grok-0.13.1.cfg

While not strictly required, we also recommend you modify the following line in the [eggbasket] section (if present):

url = http://grok.zope.org/releaseinfo/grok-eggs-0.13.tgz

to:

url = http://grok.zope.org/releaseinfo/grok-eggs-0.13.1.tgz

After this change, run buildout and restart the server.

This version should work properly with Python 2.4 and Python 2.5.

Grok 0.12 and Grok 0.12.1: upgrade to Grok 0.12.2

In the file versions.cfg change the line:

grok = 0.12 (or 0.12.1)

to this:

grok = 0.12.2

If you have no versions.cfg, go to your projects buildout.cfg and adjust this line:

extends = http://grok.zope.org/releaseinfo/grok-0.12.cfg (or grok-0.12.1.cfg)

to this:

extends = http://grok.zope.org/releaseinfo/grok-0.12.2.cfg

While not strictly required, we also recommend you modify the following line in the [eggbasket] section (if present):

url = http://grok.zope.org/releaseinfo/grok-eggs-0.12.tgz (or grok-0.12.1.cfg)

to:

url = http://grok.zope.org/releaseinfo/grok-eggs-0.12.2.tgz

After this change, run buildout and restart the server.

Note: the integrated REST support does not function properly on Python 2.5 in this version. It does work with the recommended version Python 2.4.

Grok 0.11 and Grok 0.11.1: upgrade to Grok 0.11.2

In the file versions.cfg change the line:

grok = 0.11 (or 0.11.1)

to this:

grok = 0.11.2

If you have no versions.cfg, go to your projects buildout.cfg and adjust this line:

extends = http://grok.zope.org/releaseinfo/grok-0.11.cfg (or grok-0.11.1.cfg)

to this:

extends = http://grok.zope.org/releaseinfo/grok-0.11.2.cfg

We have not released a grok-eggs-0.11.2.tgz as we never maintained such tarball releases for Grok 0.11.

After this change, run buildout and restart the server.

Note: the integrated REST support will not function properly on Python 2.5 in this version. It does work with the recommended version Python 2.4.