Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 336317 (CVE-2010-3198) - <net-zope/zope-{2.10.12,2.11.7}: Denial of Service Vulnerability (CVE-2010-3198)
Summary: <net-zope/zope-{2.10.12,2.11.7}: Denial of Service Vulnerability (CVE-2010-3198)
Status: RESOLVED FIXED
Alias: CVE-2010-3198
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://www.zope.org/Products/Zope/2.1...
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2010-09-07 02:46 UTC by Tim Sammut (RETIRED)
Modified: 2014-02-09 13:06 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Sammut (RETIRED) gentoo-dev 2010-09-07 02:46:10 UTC 
Very limited info from $url:

This release fixes a bug which could be exploited to create a denial-of-service in certain non-default configurations of Zope (CVE-2010-3198). All users of earlier 2.10.x versions of Zope should upgrade to this version

The initial discussion of the issue appears to be at:
https://bugs.launchpad.net/zope2/+bug/627988
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2010-11-22 04:09:00 UTC 
The upstream bug (https://bugs.launchpad.net/zope2/+bug/627988) says this is fixed in Zope 2.10.12 and Zope 2.11.7. There appears to be many more recent versions in the tree.

@net-zope, are any of the current packages a suitable stabilization target? Thank you.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2011-06-23 23:55:45 UTC 
CVE-2010-3198 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3198):
  ZServer in Zope 2.10.x before 2.10.12 and 2.11.x before 2.11.7 allows remote
  attackers to cause a denial of service (crash of worker threads) via vectors
  that trigger uncaught exceptions.
Comment 3 Arfrever Frehtes Taifersar Arahesis 2011-10-02 16:05:10 UTC 
Vulnerable versions are masked.
Comment 4 Tim Sammut (RETIRED) gentoo-dev 2011-10-02 23:44:41 UTC 
(In reply to comment #3)
> Vulnerable versions are masked.

Great, thanks. GLSA Vote: no.
Comment 5 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-08 22:44:38 UTC 
Vote: NO. Closing noglsa.