Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 246411 (CVE-2008-5102)

Summary: net-zope/zope <2.9.10 <2.10.7 PythonScripts Denial of Service (CVE-2008-5102)
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: net-zope+disabled
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.zope.org/Products/Zope/Hotfix-2008-08-12/README.txt
Whiteboard: B3 [noglsa]
Package list:
Runtime testing required: ---

Description Robert Buchholz (RETIRED) gentoo-dev 2008-11-11 16:37:19 UTC 
Zope wrote:
 PythonScripts in Zope 2 can be misused for shutting down a complete Zope 2 instance or misused for a local denial-of-service attack. This issue affects only those Zope 2 instances where users have unrestricted access to the ZMI and the ability to edit PythonScripts. This should usually not be the case for instances where the Manager access is granted only to trusted persons.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-11-11 16:37:45 UTC 
Tupone, do these contain the fix?

*zope-2.10.7 (10 Nov 2008)
*zope-2.9.10 (10 Nov 2008)

  10 Nov 2008; Tupone Alfredo <tupone@gentoo.org> +zope-2.9.10.ebuild,
  +zope-2.10.7.ebuild:
  Version bump to 2.9.10 and 2.10.7.
Comment 2 Tupone Alfredo gentoo-dev 2008-11-11 18:50:05 UTC 
Yes. They do!
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-11-11 20:27:47 UTC 
Arches, please test and mark stable:
=net-zope/zope-2.9.10
=net-zope/zope-2.10.7
Target keywords : "alpha amd64 ppc sparc x86"
Comment 4 Markus Meier gentoo-dev 2008-11-15 10:26:08 UTC 
amd64/x86 stable
Comment 5 Tobias Scherbaum (RETIRED) gentoo-dev 2008-11-15 18:23:07 UTC 
ppc stable
Comment 6 Raúl Porcel (RETIRED) gentoo-dev 2008-11-15 18:55:29 UTC 
alpha/sparc stable
Comment 7 Stefan Behte (RETIRED) gentoo-dev Security 2008-11-15 18:59:07 UTC 
Ready for voting.
Comment 8 Robert Buchholz (RETIRED) gentoo-dev 2008-11-21 16:53:23 UTC 
CVE-2008-5102 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5102):
  PythonScripts in Zope 2 2.11.2 and earlier, as used in Conga and
  other products, allows remote authenticated users to cause a denial
  of service (resource consumption or application halt) via certain (1)
  raise or (2) import statements.
Comment 9 Stefan Behte (RETIRED) gentoo-dev Security 2009-01-05 22:22:26 UTC 
I vote NO.
Comment 10 Robert Buchholz (RETIRED) gentoo-dev 2009-01-06 22:29:52 UTC 
Manager can shutdown application? NO!