see url above, I marked 2.6.3 stable
Zope 2.6.3 Release and Security Update Zope 2.6.3 contains a number of security related fixes for issues resolved during a comprehensive security audit conducted in Q4 2003. Zope 2.6.3 Release and Security Update Zope 2.6.3 contains a number of security related fixes for issues resolved during a comprehensive security audit conducted in Q4 2003. You may download Zope 2.6.3 from Zope.org: http://www.zope.org/Products/Zope/2.6.3/ Users of the VerboseSecurity add-on product for Zope please note: some of the security-related changes in Zope 2.6.3 are incompatible with the VerboseSecurity product. Please uninstall the VerboseSecurity product before upgrading to 2.6.3 to avoid problems. It is expected that VerboseSecurity will be updated to be compatible with Zope 2.6.3 in the near future. Also note that there are binary code changes in the 2.6.3 release, making it impossible to issue an external "hotfix" to resolve these issues. CVS users should be sure to update their sites and rebuild the C Python extensions to ensure that all fixes are deployed. In the fourth quarter of 2003, a comprehensive evaluation of the changes to Python from version 2.1 to 2.3.3 was undertaken. This evaluation was designed to assess each change to the Python environment in terms of its potential impact on the Zope application server and Zope applications, with the goal of making Python 2.3.3 the required Python platform for Zope beginning with Zope 2.7. The evaluation was focused on assessing changes to Python in the following contexts: * Changes that would have compatibility or other effects on existing or new Zope applications * Changes that could potentially affect the Zope security architecture or change the behavior of the restricted execution environment used by Zope to run untrusted code In the course of the evaluation, very few of the Python changes in 2.3.3 directly affected the Zope security architecture or had impacts on the restricted execution model. However, a number of pre-existing potential issues were discovered and resolved in the course of the comprehensive security audit that was performed as a part of the Python upgrade evaluation: * For loops, list comprehensions, and other iterations in untrusted code Issue Description Iteration over sequences could in some cases fail to check access to an object obtained from the sequence. Subsequent checks (such as for attributes access) of such an object would still be performed, but it should not have been possible to obtain the object in the first place. Who Is Affected? Sites that allow untrusted users to write Python Scripts, Page Templates, and DTML. Resolution This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and higher. Affected sites are strongly encouraged to update their Zope installations to prevent this issue. * List and dictionary instance methods in untrusted code Issue Description List and dictionary instance methods such as the get method of dictionary objects were not security aware and could return an object without checking access to that object. Subsequent checks (such as for attributes access) of such an object would still be performed, but it should not have been possible to obtain the object in the first place. Who Is Affected? Sites that allow untrusted users to write Python Scripts, Page Templates, and DTML. Resolution This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and higher. Affected sites are strongly encouraged to update their Zope installations to prevent this issue. * Use of import as in untrusted code Issue Description Use of "import as" in Python scripts could potentially rebind names in ways that could be used to avoid appropriate security checks. Who Is Affected? Sites that allow untrusted users to write Python Scripts, Page Templates, and DTML. Resolution This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and higher. Affected sites are strongly encouraged to update their Zope installations to prevent this issue. * Use of min, max, enumerate, iter, and sum in untrusted code Issue Description A number of newer built-ins were either unavailable in untrusted code or did not perform adequate security checking. Who Is Affected? Sites that allow untrusted users to write Python Scripts, Page Templates, and DTML. Resolution This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and higher. Affected sites are strongly encouraged to update their Zope installations to prevent this issue. * Broken binding validation in untrusted code Issue Description The variables bound to page templates and Python scripts such as "context" and "container" were not checked adequately, allowing a script to potentially access those objects without ensuring the necessary permissions on the part of the executing user. Who Is Affected? Sites that allow untrusted users to write Python Scripts, Page Templates, and DTML. Resolution This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and higher. Affected sites are strongly encouraged to update their Zope installations to prevent this issue. * Unpacking in untrusted code Issue Description Unpacking via function calls, variable assignment, exception variables and other contexts did not perform adequate security checks, potentially allowing access to objects that should have been protected. Who Is Affected? Sites that allow untrusted users to write Python Scripts, Page Templates, and DTML. Resolution This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and higher. Affected sites are strongly encouraged to update their Zope installations to prevent this issue. * Unicode passed to RESPONSE.write() could shutdown process Issue Description Inadequate type checking could allow unicode values passed to RESPONSE.write() to be passed into deeper layers of asyncore, where an exception would eventually be generated at a level that would cause the Zserver main loop to terminate. Who Is Affected? Sites that allow untrusted users to write Python Scripts, Page Templates, and DTML. Resolution This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and higher. Affected sites are strongly encouraged to update their Zope installations to prevent this issue. * PythonScript class security not initialized properly Issue Description Class security was not properly intialized for PythonScripts, potentially allowing access to variables that should be protected. It turned out that most of the security assertions were in fact activated as a side effect of other code, but this fix is still appropriate to ensure that all security declarations are properly applied. Who Is Affected? Sites that use Python Scripts. Resolution This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and higher. Affected sites are strongly encouraged to update their Zope installations to prevent this issue. * XML-RPC instance marshaling may disclose protected values Issue Description XML-RPC marshalling of class instances used the instance __dict__ to marshal the object, and could include attributes prefixed with an underscore name. These attributes are considered private in Zope and should generally not be disclosed. Who Is Affected? All Zope sites. Resolution This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and higher. Affected sites are strongly encouraged to update their Zope installations to prevent this issue. * DTML tag dtml-tree may allow DoS attack Issue Description The dtml-tree tag used an "eval" of user-supplied data; its efforts to prevent abuse were ineffective. Who Is Affected? All Zope sites. Resolution This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and higher. Affected sites are strongly encouraged to update their Zope installations to prevent this issue. * Potential cross-site scripting problem in default ZSearch interface Issue Description Browsers that do not escape html in query strings such as Internet Explorer 5.5 could potentially send a script tag in a query string to the ZSearch interface for cross-site scripting. Who Is Affected? Sites that use the default ZSearch interface. Resolution This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and higher. Affected sites are strongly encouraged to update their Zope installations to prevent this issue. * Proxy rights on DTMLMethods transferred via acquisition Issue Description DTMLMethods with proxy rights could incorrectly transfer those rights via acquisition when traversing to a parent object. Who Is Affected? Sites that allow users who have increased permissions in subfolders to write DTMLMethods. Resolution This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and higher. Affected sites are strongly encouraged to update their Zope installations to prevent this issue. * Improper security assertions on DTMLDocument objects Issue Description Some improper security assertions on DTMLDocument objects could potentially allow access to members that should be protected. Who Is Affected? Sites that use DTMLDocuments for secure content. Resolution This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and higher. Affected sites are strongly encouraged to update their Zope installations to prevent this issue. * PropertyManager lines and tokens properties stored as list Issue Description Some property types were stored in a mutable data type (list) which could potentially allow untrusted code to effect changes on those properties without going through appropriate security checks in particular scenarios. Who Is Affected? Sites that allow untrusted users to write Python Scripts, Page Templates, and DTML. Resolution This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and higher. Affected sites are strongly encouraged to update their Zope installations to prevent this issue. * Inadequate security assertions on admin "find" functions Issue Description Inadequate security assertions on administrative "find" methods could potentially be abused. Who Is Affected? All Zope sites. Resolution This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and higher. Affected sites are strongly encouraged to update their Zope installations to prevent this issue. * ZTUtils.SimpleTree state handling Issue Description The ZTUtils SimpleTree decompressed tree state data from the request without checking for final size, which could allow for certain types of DoS attacks. Who Is Affected? Sites that rely on the ZTUtils.SimpleTree. Resolution This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and higher. Affected sites are strongly encouraged to update their Zope installations to prevent this issue. * Configuration file did not override security policy selection Issue Description This is not really a security issue, just a usability issue. It has always been possible to alternate between C and Python implemenations of the Zope security policy using certain environment variables. As of Zope 2.7, use of environment variables is deprecated in favor of the new 2.7 configuration files. The new configuration machinery was not implementing the directive used to override the default security policy. Who Is Affected? Zope 2.7 beta users. Resolution This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and higher. For more information on what is new in this release, see the CHANGES.txt and HISTORY.txt files for the release: * http://www.zope.org/Products/Zope/2.6.3/CHANGES.txt * http://www.zope.org/Products/Zope/2.6.3/HISTORY.txt For more information on the available Zope releases, guidance for selecting the right distribution and installation instructions, please see: http://www.zope.org/Documentation/Misc/InstallingZope.html
It's nice when we dont have to chase URL's down :)
sorry, will post it here directly next time :)
Heinrich, If you want to help prep the GLSA that would be great. Getting them written up currently is the bottleneck in the whole Gentoo security process. "Currently we are also exploring the idea of user contributed GLSA's. Tim Yamin <plasmaroo@gentoo> wants people to test the GLSAMaker at http://dev.gentoo.org/~plasmaroo/glsa-test and complain to him if it doesn't work."
is it ok if i just use the text from the url as description?
That should be absolutely fine.
I get the following warning when clicking on submit: Warning: fopen(/home/plasmaroo/public_html/glsa-test/pool/89e382e925b6cec25eae2d3de4db4ad1.xml): failed to open stream: Permission denied in /home/plasmaroo/public_html/glsa-test/includes/io.filegrepper on line 170
Created attachment 24005 [details] glsa-zope.xml my proposal for the glsa
(maybe we should post a call for volunteers in the weekly newsletter)
IMO the individual resolutions in the description can be removed as they are redundant with the global <resolution>.
Okay, that GLSA looks too long. I'll sort this out tomorrow and make a nice lighter version. I have touched up the XML in the existing version, http://dev.gentoo.org/~plasmaroo/glsa-test/frame-view.php?id=200401-02 or http://dev.gentoo.org/~plasmaroo/glsa-test/data/2004/01/02.xml Thanks.
Okay; I've lightened that up a little by removing the redundant "Resolution" sections - I've also removed the last vulnerability which was for 2.7 beta 3 which we did not supply.
Currently 2.6.3 is the only stable 2.6.x Zope for x86 in the portage tree. This is unfortunate because a number of issues were created in 2.6.3 and 2.6.4 is hot on it's heels. http://www.zope.org/Products/Zope/2.6.4rc1/CHANGES.txt Zope 2.7.0 is not far off either. To reiterate an earlier issue: net-zope/zope should be SLOTted. Otherwise there are issues with upgrading an existing installation. All the infrastructure pieces are there (i.e. filesystem layout). I do not think you will want to keep multiple versions co-existing for a long time, but I think it is necessary for a production site to have a smooth transition.
glsa has been sent yes/no ? i kind of remember this ...
The GLSA was mainly not sent as a lot of it dealt with things such as "when using a site which enables Python-scripting" thing, and we decided that any security aware administrator would not be so daft as to use software which lets users get the server to random things. If you believe there is a need, fair enough and I can send it off, it is here: http://dev.gentoo.org/~plasmaroo/glsa-test/frame-view.php?id=d539029df997b8a3afec883d245af558
If no GLSA is to go out can we please close this bug.
We won't release a GLSA as said in comment #15, closing bug as FIXED as the fixed versions are in Portage.
