Some vulnerabilities have been reported in Zope, which can be exploited by malicious people to conduct cross-site request forgery attacks The vulnerabilities are caused due to Zope allowing administrators to perform certain actions via HTTP requests without performing any validity checks to verify the request. This can be exploited to e.g. to add users or change user privileges by enticing a logged-in administrator to visit a malicious site. The vulnerability is reported in all Zope versions up to and including 2.10.2. SOLUTION: Apply hotfix: http://www.zope.org/Products/Zope/Hotfix-2007-03-20/announcement/view net-zope, please advise.
Released new zope versions which include fix: 2.8.9 (downgraded to ~ on all arches) 2.9.7 (previous version was ~) 2.10.3 (previous version was ~)
Thx Radoslaw. Arches please test and mark stable. Target keywords are: zope-2.8.9.ebuild:KEYWORDS="alpha amd64 ppc sparc x86"
====================================================================== ERROR: testDropPrivileges (Zope2.Startup.tests.testStarter.ZopeStarterTestCase) ---------------------------------------------------------------------- Traceback (most recent call last): File "/var/tmp/portage/net-zope/zope-2.8.9/work/Zope-2.8.9-final/lib/python/Zope2/Startup/tests/testStarter.py", line 264, in testDropPrivileges finished = starter.dropPrivileges() File "/var/tmp/portage/net-zope/zope-2.8.9/work/Zope-2.8.9-final/lib/python/Zope2/Startup/__init__.py", line 213, in dropPrivileges return dropPrivileges(self.cfg) File "/var/tmp/portage/net-zope/zope-2.8.9/work/Zope-2.8.9-final/lib/python/Zope2/Startup/__init__.py", line 406, in dropPrivileges raise ZConfig.ConfigurationError(msg) ConfigurationError: Cannot start Zope with the effective user as the root user ====================================================================== ERROR: testZopeRunConfigure (Zope2.Startup.tests.testStarter.ZopeStarterTestCase) ---------------------------------------------------------------------- Traceback (most recent call last): File "/var/tmp/portage/net-zope/zope-2.8.9/work/Zope-2.8.9-final/lib/python/Zope2/Startup/tests/testStarter.py", line 393, in testZopeRunConfigure configure(fname) File "/var/tmp/portage/net-zope/zope-2.8.9/work/Zope-2.8.9-final/lib/python/Zope2/Startup/run.py", line 34, in configure starter.dropPrivileges() File "/var/tmp/portage/net-zope/zope-2.8.9/work/Zope-2.8.9-final/lib/python/Zope2/Startup/__init__.py", line 213, in dropPrivileges return dropPrivileges(self.cfg) File "/var/tmp/portage/net-zope/zope-2.8.9/work/Zope-2.8.9-final/lib/python/Zope2/Startup/__init__.py", line 382, in dropPrivileges raise ZConfig.ConfigurationError(msg) ConfigurationError: A user was not specified to setuid to; fix this to start as root (change the effective-user directive in zo pe.conf) ====================================================================== FAIL: testUmask (zdaemon.tests.testzdrun.ZDaemonTests) ---------------------------------------------------------------------- Traceback (most recent call last): File "/var/tmp/portage/net-zope/zope-2.8.9/work/Zope-2.8.9-final/lib/python/zdaemon/tests/testzdrun.py", line 260, in testUmask self.assert_(not os.access(path, os.W_OK)) File "/usr/lib/python2.3/unittest.py", line 278, in failUnless if not expr: raise self.failureException, msg AssertionError
I'm no Zope expert but this looks like an ebuild error to me so back to ebuild status. Radoslaw please provide an updated ebuild.
Christian, could You provide more information about when this error happened? was this test phase in the emerge? If yes, we'll probably have to jsut disable it (patching zope to make test not use root user is (probably) to much work for us atm).
OK, there is problem with targz released by zope corp as mentioned by Andreas Jung: "I uploaded corrected versions of the Zope 2.9.7 and 2.10.3 tar-balls. The tar-balls released yesterday contained a bug that caused a startup failure when using "zopectl start"." Give me a day to fix it.
(In reply to comment #5) > Christian, could You provide more information about when this error happened? > was this test phase in the emerge? If yes, we'll probably have to jsut disable > it (patching zope to make test not use root user is (probably) to much work for > us atm). Yes, it was test phase...so I am a bit surprised, arches were uncced. :) Just a comment if test phase is known to fail or not.
@Christian, please provide a bit more information when you paste in results then:) Security is not over staffed atm. @Radoslaw just readd arches when the ebuilds are ready for further testing.
(In reply to comment #8) > @Christian, please provide a bit more information when you paste in results > then:) Security is not over staffed atm. Sune, I thought everyone knows my profile by now. :) Portage 2.1.2.2 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.5-r0, 2.6.19-gentoo-r5 i686) ================================================================= System uname: 2.6.19-gentoo-r5 i686 AMD Athlon(tm) XP 2500+ Gentoo Base System release 1.12.9 Timestamp of tree: Tue, 27 Mar 2007 04:20:02 +0000 dev-java/java-config: 1.3.7, 2.0.31 dev-lang/python: 2.3.5-r3, 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.61 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.14 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /opt/openjms/config /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /usr/spool/PBS /var/vpopmail/domains /var/vpopmail/etc" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/php/apache1-php4/ext-active/ /etc/php/apache1-php5/ext-active/ /etc/php/apache2-php4/ext-active/ /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php4/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php4/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c" CXXFLAGS="-O2" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig ccache distlocks metadata-transfer parallel-fetch sandbox sfperms strict" GENTOO_MIRRORS="ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gentoo/" LANG="de_DE@euro" LC_ALL="de_DE.utf8" LINGUAS="de" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.informatik.rwth-aachen.de/gentoo-portage" USE="3dnow 3dnowext X Xaw3d a52 alsa apache apache2 artworkextra asf audiofile bash-completion beagle berkdb bidi bitmap-fonts bootsplash branding bzip2 cairo cdda cddb cdparanoia cdr cli cracklib crypt css cups curl custom-cflags dbus dga directfb divx4linux dts dvd dvdr dvdread dvi eds emacs emboss encode esd evo exif expat fam fat fbcon ffmpeg firefox fortran ftp gb gcj gdbm gif gnome gpm gstreamer gtk gtk2 gtkhtml hal iconv icq idn imagemagick imap isdnlog java javamail javascript jikes jpeg jpeg2k kde ldap leim libg++ mad maildir matroska mbox mhash midi mikmod mime mmx mmxext mng mono mp3 mpeg mpeg2 mule mysql nautilus ncurses nforce2 nls nocardbus nptl nptlonly nsplugin nvidia objc ogg opengl pam pcre pdf perl plotutils pmu png ppds pppd preview-latex print python qt3 qt4 quicktime readline reflection reiserfs samba sdk session slang spell spl sse ssl svg svga t1lib tcltk tcpd tetex theora tiff truetype truetype-fonts type1-fonts unicode usb vcd videos vorbis win32codecs wmf wxwindows x86 xine xml xorg xosd xv xvid zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="mouse keyboard" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="de" USERLAND="GNU" VIDEO_CARDS="radeon vesa fbdev" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Christian, I only had time for a quick look of your output and wasn't sure wether it was the test phase or not. Waiting for maintainer to update with fixed tarballs as per comment #6.
Commited fixed versions: 2.10.3 2.9.7 2.8.9 and 2.8.9.1 Arches, please test (thoroughly, due to newly introduced versioning scheme) and stabilize: 2.8.9.1
x86 stable
ppc stable
amd64 stable
updating status.
alpha stable
sparc stable.
thankes arches. security, please vote.
I tend to vote NO.
voting no that makes 1.5 votes against a GLSA atm
voting no, and closing without glsa. feel free to reopen if you disagree.
agree