Summary: | net-zope/zope: docutils-related security issue | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sune Kloppenborg Jeppesen (RETIRED) <jaervosz> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | net-zope+disabled |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.zope.org/ | ||
Whiteboard: | B2? [glsa] jaervosz | ||
Package list: | Runtime testing required: | --- |
Description
Sune Kloppenborg Jeppesen (RETIRED)
2005-10-12 22:14:32 UTC
net-zope herd, please apply hotfix Also in : http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=334054 zope team, please bump. If you find what is the impact of the flaw please comment. will do today. fixed in portage with two new versions 2.7.8 and 2.8.2 which contains fixes for the vulnabirity. 2.6.x is not supported, we have no information if this can be even patched. Thx Radoslaw. Arches please test and mark stable. Hmm which version? 2.7.8 or 2.8.2? Latest stable was 2.7.7, so 2.7.8 should probably be the stable target. sparc stable. ppc done. Alpha stable. Not sure what this is about. Can't find anything clear in the Changelog... Maybe that : <<disabled ".. include" directive for all the ZReST product and the reStructuredText package>> Looks like a file inclusion issue... maybe local file disclosure ? Radoslaw, any info ? i think we can provide general information, about file inclusion, but give a clear info that this allows to break security of the zope to untrusted users through the web. I also need to release 2.8.3 tonight, because there were some problems on zope2.8.2 release (http://www.zope.org/Products/Zope/2.8.3/CHANGES.txt) release 2.8.3 i suggest that advisory mention also that for 2.8.x branch upgrade to the 2.8.3 should be done. stable on x86 Radoslaw: removing/masking the 2.8.2 version is the best way to achieve the result from comment #14. Technically >=2.8.2 is fixed (security-wise) so that's probably what we'll put in the GLSA. They will pick up 2.8.3 naturally if 2.8.2 is missing... amd64 still missing, should mark 2.7.8 stable amd64 stable, sorry for the delay GLSA 200510-20 |