Hi all.
As part of a project, our client has made a security scan performed by F-Secure. All in all a fine process, giving us very good input.
But one point of the security report is that Zope 2.13 (Zope 2.13.24) is considered as end-of-life. This is of course wrong. For instance, Zope 2.13.25 is planned but still unreleased. See https://zope.readthedocs.io/en/2.13/CHANGES.html
(Incorporating the latest security patches from plone hotfix 20160830).
From the report:
"2.1. Automated scan results
2.1.1. High risk vulnerabilities
2.1.1.1 End-of-life product: Zope
High AV: Network AC: High Au: None C: Complete I: Complete A: Complete 7.6
Vulnerability status: Unattended
Description
This version of the remote remote web server has reached end-of-life status.
Active development for this version of Zope has ended. New updates or patches will not be
available.
The vulnerability is based on the following retrieved information from 443/TCP:
Zope/(2.13.23, python 2.7.6, linux2) ZServer/1.1
Recommendations
Migrate to the latest Zope version.
"
(we upgraded to 2.13.24, but got the same message).
Other people from the plone/zope community might be affected by this also.
How can the community react to this marking of Zope 2.13 as end-of-life? Would it be possible to make this clearer on the Zope website, or something like this? I'm can contact F-Secure if I can get some ammunition/documentation.
All the best,
Sune