109087 2005-10-12 22:14 0000 net-zope/zope: docutils-related security issue 2005-10-25 04:49:14 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://www.zope.org/ B2? [glsa] jaervosz P2 normal --- 1 jaervosz@gentoo.org security@gentoo.org net-zope@gentoo.org jaervosz@gentoo.org 2005-10-12 22:14:32 0000 Hotfix 2005-10-09 Alert This hotfix addresses an important security issue that affects users of Zope versions 2.6 or higher. This hotfix resolves a security issue with docutils. Affected are possibly all Zope instances that expose RestructuredText functionalies to untrusted users through the web. koon@gentoo.org 2005-10-13 01:21:44 0000 net-zope herd, please apply hotfix koon@gentoo.org 2005-10-16 03:07:30 0000 Also in : http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=334054 zope team, please bump. If you find what is the impact of the flaw please comment. radek@gentoo.org 2005-10-16 03:28:32 0000 will do today. radek@gentoo.org 2005-10-17 15:06:18 0000 fixed in portage with two new versions 2.7.8 and 2.8.2 which contains fixes for the vulnabirity. 2.6.x is not supported, we have no information if this can be even patched. jaervosz@gentoo.org 2005-10-17 22:53:16 0000 Thx Radoslaw. Arches please test and mark stable. gustavoz@gentoo.org 2005-10-18 06:43:13 0000 Hmm which version? 2.7.8 or 2.8.2? koon@gentoo.org 2005-10-18 06:50:34 0000 Latest stable was 2.7.7, so 2.7.8 should probably be the stable target. gustavoz@gentoo.org 2005-10-18 07:26:26 0000 sparc stable. hansmi@gentoo.org 2005-10-18 11:08:44 0000 ppc done. kloeri@gentoo.org 2005-10-18 15:24:51 0000 Alpha stable. koon@gentoo.org 2005-10-19 02:06:29 0000 Not sure what this is about. Can't find anything clear in the Changelog... Maybe that : <<disabled ".. include" directive for all the ZReST product and the reStructuredText package>> Looks like a file inclusion issue... maybe local file disclosure ? Radoslaw, any info ? radek@gentoo.org 2005-10-19 04:50:05 0000 i think we can provide general information, about file inclusion, but give a clear info that this allows to break security of the zope to untrusted users through the web. radek@gentoo.org 2005-10-19 04:52:06 0000 I also need to release 2.8.3 tonight, because there were some problems on zope2.8.2 release (http://www.zope.org/Products/Zope/2.8.3/CHANGES.txt) radek@gentoo.org 2005-10-19 13:45:54 0000 release 2.8.3 i suggest that advisory mention also that for 2.8.x branch upgrade to the 2.8.3 should be done. halcy0n@gentoo.org 2005-10-19 22:51:52 0000 stable on x86 koon@gentoo.org 2005-10-20 08:28:22 0000 Radoslaw: removing/masking the 2.8.2 version is the best way to achieve the result from comment #14. Technically >=2.8.2 is fixed (security-wise) so that's probably what we'll put in the GLSA. They will pick up 2.8.3 naturally if 2.8.2 is missing... koon@gentoo.org 2005-10-21 08:18:58 0000 amd64 still missing, should mark 2.7.8 stable blubb@gentoo.org 2005-10-23 04:48:08 0000 amd64 stable, sorry for the delay koon@gentoo.org 2005-10-25 04:49:14 0000 GLSA 200510-20