Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 246411 (CVE-2008-5102) - net-zope/zope <2.9.10 <2.10.7 PythonScripts Denial of Service (CVE-2008-5102)
Summary: net-zope/zope <2.9.10 <2.10.7 PythonScripts Denial of Service (CVE-2008-5102)
Status: RESOLVED FIXED
Alias: CVE-2008-5102
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://www.zope.org/Products/Zope/Hot...
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-11-11 16:37 UTC by Robert Buchholz (RETIRED)
Modified: 2009-01-06 22:29 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-11-11 16:37:19 UTC
Zope wrote:
 PythonScripts in Zope 2 can be misused for shutting down a complete Zope 2 instance or misused for a local denial-of-service attack. This issue affects only those Zope 2 instances where users have unrestricted access to the ZMI and the ability to edit PythonScripts. This should usually not be the case for instances where the Manager access is granted only to trusted persons.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-11-11 16:37:45 UTC
Tupone, do these contain the fix?

*zope-2.10.7 (10 Nov 2008)
*zope-2.9.10 (10 Nov 2008)

  10 Nov 2008; Tupone Alfredo <tupone@gentoo.org> +zope-2.9.10.ebuild,
  +zope-2.10.7.ebuild:
  Version bump to 2.9.10 and 2.10.7.
Comment 2 Tupone Alfredo gentoo-dev 2008-11-11 18:50:05 UTC
Yes. They do!
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-11-11 20:27:47 UTC
Arches, please test and mark stable:
=net-zope/zope-2.9.10
=net-zope/zope-2.10.7
Target keywords : "alpha amd64 ppc sparc x86"
Comment 4 Markus Meier gentoo-dev 2008-11-15 10:26:08 UTC
amd64/x86 stable
Comment 5 Tobias Scherbaum (RETIRED) gentoo-dev 2008-11-15 18:23:07 UTC
ppc stable
Comment 6 Raúl Porcel (RETIRED) gentoo-dev 2008-11-15 18:55:29 UTC
alpha/sparc stable
Comment 7 Stefan Behte (RETIRED) gentoo-dev Security 2008-11-15 18:59:07 UTC
Ready for voting.
Comment 8 Robert Buchholz (RETIRED) gentoo-dev 2008-11-21 16:53:23 UTC
CVE-2008-5102 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5102):
  PythonScripts in Zope 2 2.11.2 and earlier, as used in Conga and
  other products, allows remote authenticated users to cause a denial
  of service (resource consumption or application halt) via certain (1)
  raise or (2) import statements.

Comment 9 Stefan Behte (RETIRED) gentoo-dev Security 2009-01-05 22:22:26 UTC
I vote NO.
Comment 10 Robert Buchholz (RETIRED) gentoo-dev 2009-01-06 22:29:52 UTC
Manager can shutdown application? NO!