From the upstream announcement at $URL: A vulnerability in Zope 2.12.x and Zope 2.13.x that allows execution of arbitrary code by anonymous users. This is a severe vulnerability that allows an unauthenticated attacker to employ a carefully crafted web request to execute arbitrary commands with the privileges of the Zope/Plone service. CVE-2011-3587 Versions Affected: Plone 4.0 (through 4.0.9); Plone 4.1; Plone 4.2 (a1 and a2); Zope 2.12.x and Zope 2.13.x. Versions Not Affected: Versions of Plone that use Zope other than Zope 2.12.x and Zope 2.13.x. This is a pre-announcement. Due to the severity of this issue we are providing an advance warning of an upcoming patch, which will be released on this page at 2011-10-04 15:00 UTC.
Hi Tim. From packages.mask: # Mike Gilbert <floppym@gentoo.org> (15 Sep 2011) # Arfrever Frehtes Taifersar Arahesis <arfrever.fta@gmail.com> (15 Sep 2011) # ****************************************************************************************** # Zope Toolkit, Zope and other Zope-related packages are now maintained in Progress Overlay, # which provides more Python-related features than the main tree. # You should switch to Progress Overlay. # You can use 'layman -a progress' to install Progress Overlay. # See http://www.gentoo.org/proj/en/overlays/userguide.xml for more information. # These packages will be removed from the main tree on 2012-03-01. # ****************************************************************************************** Nothing to do here imho.
Thanks, Agostino. That same entry excludes the current ~arch package =net-zope/zope-2.13.9: <net-zope/zope-2.12.19 =net-zope/zope-2.13.6* =net-zope/zope-2.13.7* =net-zope/zope-3* Not sure what the plan is for this package...
(I'm subscribed to zope-announce mailing list...) New versions will be added to Progress Overlay after their release. 2.12.19 and 2.13.9 from Progress Overlay are vulnerable and will be deleted after addition of new versions. 2.13.9 from gentoo-x86 is not vulnerable, so don't mask it and don't remove it.
(In reply to comment #3) > 2.13.9 from gentoo-x86 is not vulnerable, so don't mask it and don't remove it. Thanks, Arfrever. Do you have a pointer documenting this? The upstream advisory is pretty clear that 2.13.x is vulnerable.
Not masked ebuilds of net-zope/zope::gentoo are used only to inform users about where real ebuilds are now maintained. These ebuilds of net-zope/zope::gentoo will remain after deletion of masked net-zope/*::gentoo ebuilds and entries from gentoo-x86/profiles/package.mask.
(In reply to comment #5) > Not masked ebuilds of net-zope/zope::gentoo are used only to inform users about > where real ebuilds are now maintained. These ebuilds of net-zope/zope::gentoo > will remain after deletion of masked net-zope/*::gentoo ebuilds and entries > from gentoo-x86/profiles/package.mask. Ah! Got it, thank you. Resolving this bug as INVALID.
