140496 – dev-lang/python, dev-python/{cherrypy,py2play}, net-zope/zope - security cleanup needed

Bug 140496 - dev-lang/python, dev-python/{cherrypy,py2play}, net-zope/zope - security cleanup needed

Summary: dev-lang/python, dev-python/{cherrypy,py2play}, net-zope/zope - security cl...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	New packages (show other bugs)
Hardware:	All Linux

Importance:	High normal
Assignee:	Python Gentoo Team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2006-07-15 07:32 UTC by Jakub Moc (RETIRED)
Modified:	2006-07-15 15:36 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jakub Moc (RETIRED) gentoo-dev

2006-07-15 07:32:43 UTC

dev-lang/python-2.1.3-r1: vulnerable via glsa(200509-08) ( ver-rev < 2.3.5-r2 ), affects ('alpha', 'ia64', 'ppc', 'sparc', 'x86')
dev-lang/python-2.1.3-r1: vulnerable via glsa(200502-09) ( ver <= 2.3.4 && ver-rev not => 2.3.4-r1 && not ( ver = 2.3.3 && ver-rev => 2.3.3-r2 ) && not ( ver = 2.2.3 && ver-rev => 2.2.3-r6 ) ), affects ('alpha', 'ia64', 'ppc', 'sparc', 'x86')
dev-lang/python-2.2.3-r6: vulnerable via glsa(200509-08) ( ver-rev < 2.3.5-r2 ), affects ('alpha', 'amd64', 'hppa', 'ia64', 'mips', 'ppc', 'ppc64', 'sparc', 'x86')

Please, clean up the above. Thanks. ;)

Comment 1 Jakub Moc (RETIRED) gentoo-dev

2006-07-15 07:40:19 UTC

Also:

dev-python/cherrypy-2.0.0: vulnerable via glsa(200605-16) ( ver < 2.1.1 ), affects ('ppc', 'x86')
dev-python/cherrypy-2.1.0: vulnerable via glsa(200605-16) ( ver < 2.1.1 ), affects ('amd64', 'ppc', 'x86')

dev-python/py2play-0.1.2: vulnerable via glsa(200509-09) ( ver <= 0.1.7 ), affects ('x86',)
dev-python/py2play-0.1.6: vulnerable via glsa(200509-09) ( ver <= 0.1.7 ), affects ('ppc', 'x86')
dev-python/py2play-0.1.7: vulnerable via glsa(200509-09) ( ver <= 0.1.7 ), affects ('ppc', 'x86')

Comment 2 Alastair Tse (RETIRED) gentoo-dev

2006-07-15 11:01:05 UTC

i've cleaned up py2play and cherrypy. but there are still packages that depends on python-2.1 like net-zope/zope. 

we'll have to clean those ones as well.

Comment 3 Jakub Moc (RETIRED) gentoo-dev

2006-07-15 11:17:21 UTC

Thanks. While zope folks are CCed here:

net-zope/zope-2.6.4-r1: vulnerable via glsa(200510-20) ( ( ver < 2.7.8 || ver = 2.8.0 || ver = 2.8.1 ) ), affects ('alpha', 'ppc', 'sparc', 'x86')
net-zope/zope-2.7.7: vulnerable via glsa(200510-20) ( ( ver < 2.7.8 || ver = 2.8.0 || ver = 2.8.1 ) ), affects ('alpha', 'amd64', 'ppc', 'sparc', 'x86')

Comment 4 Radoslaw Stachowiak (RETIRED) gentoo-dev

2006-07-15 12:08:35 UTC

After reading glsa looks like that only python 2.3 and newer is an option.
This will however completly remove zope-2.6.4

While it's definitely old, I suspect that there may be some users still using them :(

What option do we have? package.mask ? Removing this ebuild just at once is rather a bad solution.

Comment 5 Jakub Moc (RETIRED) gentoo-dev

2006-07-15 12:26:08 UTC

(In reply to comment #4)
> What option do we have? package.mask ? Removing this ebuild just at once is
> rather a bad solution.

Well yeah, I guess there's nothing wrong w/ leaving that in the tree package.masked for a while.

Comment 6 Radoslaw Stachowiak (RETIRED) gentoo-dev

2006-07-15 12:40:55 UTC

Jakub, could You help me here and put it to the package.mask?
I've never did it before, and I do not want to break sth while changing global file. Comment should say that package should be removed completly after some time (60 days?)

Comment 7 Jakub Moc (RETIRED) gentoo-dev

2006-07-15 12:43:00 UTC

(In reply to comment #6)
> Jakub, could You help me here and put it to the package.mask?

I guess liquidx will handle it for you... :) Pretty tough luck w/ me as I have readonly CVS access :=)

Comment 8 Alastair Tse (RETIRED) gentoo-dev

2006-07-15 15:28:01 UTC

that is a good point. i think a p.mask is probably suitable enough. i'll add net-zope/zope-2.6.* along with <dev-lang/python-2.3 there as well. they can blame me if it breaks something.

Comment 9 Alastair Tse (RETIRED) gentoo-dev

2006-07-15 15:36:36 UTC

added to p.mask:

+# Alastair Tse <liquidx@gentoo.org> (15 Jul 2006)
+# Python 2.1 and 2.2 have reported vunerabilities. Masked pending
+# removal, along with net-zope/zope-2.6. (GLSA: 200509-08, 200502-09,
+# 200510-20)
+<dev-lang/python-2.3
+=net-zope/zope-2.6*
+