Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 153901
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Janne Pikkarainen <jaba@mikrobitti.fi>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 153901 depends on: Show dependency tree
Bug 153901 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2006-11-02 23:56 0000 
Since this is couple of days old and haven't seen this here yet mentioned at
all, I thought I could as well inform you. 

Plone versions 2.5 and 2.5.1 has a potential vulnerability that allows user to
masquerade as a group. More information & patch available at the URL I put
above.

------- Comment #1 From Matthias Geerdsen 2006-11-06 03:57:49 0000 ------- 
net-zope, pls provide an updated ebuild

btw, the affected version is in ~arch, so no GLSA will be needed

------- Comment #2 From Radoslaw Stachowiak 2006-12-19 11:05:46 0000 ------- 
Deeply sorry for the delay (I'm the only active deveolper for net-zope/*).
This one will be fixed around Dec 24th together with some version bumps.

------- Comment #3 From Sune Kloppenborg Jeppesen 2006-12-22 00:48:25 0000 ------- 
Thx Radek. Please comment again on this bug when you commit the updated ebuild.

------- Comment #4 From Radoslaw Stachowiak 2006-12-28 17:37:02 0000 ------- 
Both plone-2.5 and plone-2.5.1 fixed to contain this hotfix upon installation.
No version bump.

------- Comment #5 From Sune Kloppenborg Jeppesen 2006-12-29 01:42:03 0000 ------- 
Thx Radoslaw.

Normally we encourage a version bump so emerge world users will pick up the
update.

------- Comment #6 From Radoslaw Stachowiak 2007-01-01 07:52:50 0000 ------- 
Update won't be picked, beacuse zope product are installed in two phase
process, while second phase (zprod-manager) is strictly manual. simply emerging
app (plone here) will just result with new plone source being on machine, but
not one which is currently used in zope instance.

one can argue, that even in such case, bump is suggested, because subsequent
plone installations can be fixed, but net-zope policy didnt do it till
recently.

So, knowing this, is Your recommendation still to revbump it? if yes, i'll do
it.

------- Comment #7 From Sune Kloppenborg Jeppesen 2007-01-06 12:51:20 0000 ------- 
I would prefer a bump with a post install message telling the user what to do.

------- Comment #8 From Radoslaw Stachowiak 2007-01-09 22:55:39 0000 ------- 
plone-2.5.1-r1.ebuild commited.

------- Comment #9 From Raphael Marichez 2007-01-12 22:32:02 0000 ------- 
the only stable ebuild (2.0.4 and 2.0.5) are not vulnerable --> closing. Feel
free to reopen if you disagree
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug