TurboGears 0.8.8 security fix release
by Kevin Dangoor
I have just released TurboGears 0.8.8. The only change from 0.8.7 is the requirement of CherryPy 2.1.1.
The staticfilter of CherryPy 2.1.0 has a serious security flaw that would allow people to retrieve files from “..”. You should update as soon as possible:
- You can run “easy_install CherryPy>=2.1.1″ as the simplest update path
- You can also use the standard TurboGears upgrade instructions: http://www.turbogears.org/download/upgrade.html
Thanks to Remi Delon and the others on the CherryPy team for a fast fix and release on this issue!
I tried to install TurboGears for ths first time today but didn’t succeed because the ez_setup.py script failed complaining that the prozy requires authentication. I looked into the python documentation and it says that urllib.urlopen doesn’t support proxies that require authentication. I don’t really have another way to access the internet. I looked at the install page. I am using Windows XP. I guess I could try to install each of the packages separately. I don’t really know what else to do. Please advise.
Hi Greg,
Sorry to hear that. Here’s the solution available at present:
http://tinyurl.com/c8gpm
Phillip Eby wrote setuptools/ez_setup, so he’s aware of the issue. I’ll open a ticket in our Trac to make an egg bundle that can be downloaded for offline ez_setup. For now, though, Phillip describes the best options available.