Bug 109087 - net-zope/zope: docutils-related security issue
Bug#: 109087 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: normal Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: jaervosz@gentoo.org
Component: Vulnerabilities
URL:  http://www.zope.org/
Summary: net-zope/zope: docutils-related security issue
Keywords:  
Status Whiteboard: B2? [glsa] jaervosz
Opened: 2005-10-12 22:14 0000
Description:   Opened: 2005-10-12 22:14 0000 
Hotfix 2005-10-09 Alert 
This hotfix addresses an important security issue that affects users of Zope 
versions 2.6 or higher. 
This hotfix resolves a security issue with docutils. 
Affected are possibly all Zope instances that expose RestructuredText 
functionalies to untrusted users through the web.

------- Comment #1 From Thierry Carrez (RETIRED) 2005-10-13 01:21:44 0000 ------- 
net-zope herd, please apply hotfix

------- Comment #2 From Thierry Carrez (RETIRED) 2005-10-16 03:07:30 0000 ------- 
Also in :
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=334054

zope team, please bump. If you find what is the impact of the flaw please comment.

------- Comment #3 From Radoslaw Stachowiak 2005-10-16 03:28:32 0000 ------- 
will do today.

------- Comment #4 From Radoslaw Stachowiak 2005-10-17 15:06:18 0000 ------- 
fixed in portage with two new versions 2.7.8 and 2.8.2 which contains fixes for
the vulnabirity.

2.6.x is not supported, we have no information if this can be even patched.

------- Comment #5 From Sune Kloppenborg Jeppesen 2005-10-17 22:53:16 0000 ------- 
Thx Radoslaw. 
 
Arches please test and mark stable.

------- Comment #6 From Gustavo Zacarias (RETIRED) 2005-10-18 06:43:13 0000 ------- 
Hmm which version? 2.7.8 or 2.8.2?

------- Comment #7 From Thierry Carrez (RETIRED) 2005-10-18 06:50:34 0000 ------- 
Latest stable was 2.7.7, so 2.7.8 should probably be the stable target.

------- Comment #8 From Gustavo Zacarias (RETIRED) 2005-10-18 07:26:26 0000 ------- 
sparc stable.

------- Comment #9 From Michael Hanselmann (hansmi) (RETIRED) 2005-10-18 11:08:44 0000 ------- 
ppc done.

------- Comment #10 From Bryan Østergaard (RETIRED) 2005-10-18 15:24:51 0000 ------- 
Alpha stable.

------- Comment #11 From Thierry Carrez (RETIRED) 2005-10-19 02:06:29 0000 ------- 
Not sure what this is about. Can't find anything clear in the Changelog...
Maybe
that :

<<disabled ".. include" directive for all the ZReST product and the
reStructuredText package>>

Looks like a file inclusion issue... maybe local file disclosure ?

Radoslaw, any info ?

------- Comment #12 From Radoslaw Stachowiak 2005-10-19 04:50:05 0000 ------- 
i think we can provide general information, about file inclusion, but give a
clear info that this allows to break security of the zope to untrusted users
through the web.

------- Comment #13 From Radoslaw Stachowiak 2005-10-19 04:52:06 0000 ------- 
I also need to release 2.8.3 tonight, because there were some problems on
zope2.8.2 release (http://www.zope.org/Products/Zope/2.8.3/CHANGES.txt)

------- Comment #14 From Radoslaw Stachowiak 2005-10-19 13:45:54 0000 ------- 
release 2.8.3
i suggest that advisory mention also that for 2.8.x branch upgrade to the 2.8.3
should be done.

------- Comment #15 From Mark Loeser 2005-10-19 22:51:52 0000 ------- 
stable on x86

------- Comment #16 From Thierry Carrez (RETIRED) 2005-10-20 08:28:22 0000 ------- 
Radoslaw: removing/masking the 2.8.2 version is the best way to achieve the
result from comment #14. 

Technically >=2.8.2 is fixed (security-wise) so that's probably what we'll put
in the GLSA. They will pick up 2.8.3 naturally if 2.8.2 is missing...

------- Comment #17 From Thierry Carrez (RETIRED) 2005-10-21 08:18:58 0000 ------- 
amd64 still missing, should mark 2.7.8 stable

------- Comment #18 From Simon Stelling (RETIRED) 2005-10-23 04:48:08 0000 ------- 
amd64 stable, sorry for the delay

------- Comment #19 From Thierry Carrez (RETIRED) 2005-10-25 04:49:14 0000 ------- 
GLSA 200510-20