Zope 2.13.24 falsely considered end-of-life by F-Secure

sunew (Sune Brøndum Wøller) 2016-09-19 11:56:24 UTC #1

Hi all.

As part of a project, our client has made a security scan performed by F-Secure. All in all a fine process, giving us very good input.

But one point of the security report is that Zope 2.13 (Zope 2.13.24) is considered as end-of-life. This is of course wrong. For instance, Zope 2.13.25 is planned but still unreleased. See https://zope.readthedocs.io/en/2.13/CHANGES.html
(Incorporating the latest security patches from plone hotfix 20160830).

From the report:
"2.1. Automated scan results
2.1.1. High risk vulnerabilities
2.1.1.1 End-of-life product: Zope

High AV: Network AC: High Au: None C: Complete I: Complete A: Complete 7.6

Vulnerability status: Unattended

Description
This version of the remote remote web server has reached end-of-life status.
Active development for this version of Zope has ended. New updates or patches will not be
available.

The vulnerability is based on the following retrieved information from 443/TCP:
Zope/(2.13.23, python 2.7.6, linux2) ZServer/1.1

Recommendations
Migrate to the latest Zope version.
"
(we upgraded to 2.13.24, but got the same message).

Other people from the plone/zope community might be affected by this also.

How can the community react to this marking of Zope 2.13 as end-of-life? Would it be possible to make this clearer on the Zope website, or something like this? I'm can contact F-Secure if I can get some ammunition/documentation.

All the best,
Sune

hvelarde (hvelarde) 2016-09-21 00:37:58 UTC #2

Ei incumbit probatio qui dicit, non qui negat, or, in plain English, is not the Plone community who has to prove that Zope is not EOL.

Contact F-Secure and ask them to prove it or fix their report.

sunew (Sune Brøndum Wøller) 2016-10-18 09:04:11 UTC #3

We have of course made the client take contact to F-Secure. (Problem is solved I think).

My point is writing this post was to a) notify the community about a problem that can affect other people in the community, and Zope/Plone in general, and b) as in all 'politics' it is not about being right, but about getting through. This do affect the Plone community - security is one of the strengths of Plone, and it would be beneficial for the community to make sure the stack it builds on is clearly considered safe. It was not easy to actually document that Zope 2 is not end of life, I had to do a bit of digging to get the documentation. This could be made clearer in the community communication strategy.

taenzerme (Sebastian Tänzer) 2017-02-13 16:08:16 UTC #4

I know this thread is to be considered "old", yet I wanted to comment on it anyway.

It's ridiculous to consider Zope2 EOL. My company is supporting several high profile websites for several medium to big clients. We're developing a lot of new sites with Zope2-based ZMS3 and Plone. Also, we're running a lot of PHP/MySQL-based Wordpress (and some other LAMP-CMS based sites with high traffic) for many clients. In the last 10 years we had uncountable compromised up-to-date "non-EOL" PHP-based sites and apps, yet not even one using Zope 2. The Zope 2 sites outperform every other PHP-based site in terms of cost effectiveness, security, performance and extensibility.

Yet still Zope 2 is considered EOL? Zope 2 is mature and sometimes a bit "unconvential", yet if you understand the flexiblity and use it the right way it still is a great framework. I think of it more like a toolbox than a full framework.

I know that the F-Secure alarm was a false alarm but I felt it to be important to "message" others considering Zope 2 or any product based on it. It might be a tiny niche, yet still a good one. Even in 2017.

Code of Conduct – Hosting courtesy of Rackspace