Summary: | <net-zope/zope-{2.9.12,2.10.11,2.12.3}: XSS (CVE-2010-1104) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Stefan Behte (RETIRED) <craig> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | net-zope+disabled |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://mail.zope.org/pipermail/zope-announce/2010-January/002229.html | ||
Whiteboard: | B4 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Stefan Behte (RETIRED)
2010-04-06 03:54:05 UTC
2.9 and 2.10 done. Missing 2.12 net-zope/zope-2.12.3 was added to the tree on 2010-01-18. (I'm in net-zope alias.) We had stable releases of 2.9.x and 2.10.x, so we need to stabilize those. Are 2.10.11 and 2.9.12 read to go stable? If so, please add arches. Please remove vulnerable versions afterwards. Note: by afterwards I mean after all arches are stable, not after adding arches. Please stabilize: net-zope/zope-2.9.12 net-zope/zope-2.10.11 I tested both versions on x86, they seem to be fine. CVE-2010-1104 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1104): Cross-site scripting (XSS) vulnerability in Zope 2.8.x before 2.8.12, 2.9.x before 2.9.12, 2.10.x before 2.10.11, 2.11.x before 2.11.6, and 2.12.x before 2.12.3 allows remote attackers to inject arbitrary web script or HTML via vectors related to error messages. stable x86, thanks Andreas ppc done amd64 stable alpha/sparc stable XSS →noglsa |