[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[linux-security] more Zope bugs

To: linux-security
Subject: [linux-security] more Zope bugs
From: Martin Siegert <siegert@sfu.ca>
Date: Wed, 14 Mar 2001 14:21:56 -0800
User-Agent: Mutt/1.2i

Topic
=====
Numerous security vulnerabilities in Zope.

Problem Description
===================
The issue is related to ZClasses in that a user with through-the-web
scripting capabilities on a Zope site can view and assign class
attributes to ZClasses, possibly allowing them to make inappropriate
changes to ZClass instances.

The new version also fixes problems in the ObjectManager, PropertyManager,
and PropertySheet classes related to mutability of method return values
which could be perceived as a security problem.

Affected Systems
================
Systems that have Zope installed (usually apache web servers).
Affected versions: up to and including Zope-2.3.1b1.

Remark
======
This is the second advisory on Zope within a short time. If you do not
really need it, remove it from your system.

Solution
========

Debian 2.2 (potato)
-------------------
upgrade to zope_2.1.6-7_i386.deb

Mandrake 7.1, 7.2
-----------------
rpm -Fvh Zope-2.2.4-1.3mdk.i586.rpm \
         Zope-components-2.2.4-1.3mdk.i586.rpm \
         Zope-core-2.2.4-1.3mdk.i586.rpm \
         Zope-pcgi-2.2.4-1.3mdk.i586.rpm \
         Zope-services-2.2.4-1.3mdk.i586.rpm \
         Zope-zpublisher-2.2.4-1.3mdk.i586.rpm \
         Zope-zserver-2.2.4-1.3mdk.i586.rpm \
         Zope-ztemplates-2.2.4-1.3mdk.i586.rpm

RedHat 6.x, 7.0
---------------
RedHat ships Zope as part of the powertools packages, not with its
standard distributions.
Remove Zope if you can. Otherwise:

6.x:
rpm -Fvh Zope-2.2.4-6.i386.rpm \
         Zope-components-2.2.4-6.i386.rpm \
         Zope-core-2.2.4-6.i386.rpm \
         Zope-pcgi-2.2.4-6.i386.rpm \
         Zope-services-2.2.4-6.i386.rpm \
         Zope-zpublisher-2.2.4-6.i386.rpm \
         Zope-zserver-2.2.4-6.i386.rpm \
         Zope-ztemplates-2.2.4-6.i386.rpm

7.0:
rpm -Fvh Zope-2.2.4-7.i386.rpm \
         Zope-components-2.2.4-7.i386.rpm \
         Zope-core-2.2.4-7.i386.rpm \
         Zope-pcgi-2.2.4-7.i386.rpm \
         Zope-services-2.2.4-7.i386.rpm \
         Zope-zpublisher-2.2.4-7.i386.rpm \
         Zope-zserver-2.2.4-7.i386.rpm \
         Zope-ztemplates-2.2.4-7.i386.rpm

Prev by Date: [linux-security] sudo buffer overflow
Next by Date: [linux-security] more joe bugs
Prev by thread: [linux-security] more joe bugs
Next by thread: [linux-security] sudo buffer overflow
Index(es):
- Date
- Thread