Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 109087 - net-zope/zope: docutils-related security issue
Summary: net-zope/zope: docutils-related security issue
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.zope.org/
Whiteboard: B2? [glsa] jaervosz
Keywords:
Depends on:
Blocks:
 
Reported: 2005-10-12 22:14 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2005-10-25 04:49 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-10-12 22:14:32 UTC
Hotfix 2005-10-09 Alert 
This hotfix addresses an important security issue that affects users of Zope 
versions 2.6 or higher. 
This hotfix resolves a security issue with docutils. 
Affected are possibly all Zope instances that expose RestructuredText 
functionalies to untrusted users through the web.
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2005-10-13 01:21:44 UTC
net-zope herd, please apply hotfix
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-10-16 03:07:30 UTC
Also in :
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=334054

zope team, please bump. If you find what is the impact of the flaw please comment.
Comment 3 Radoslaw Stachowiak (RETIRED) gentoo-dev 2005-10-16 03:28:32 UTC
will do today.
Comment 4 Radoslaw Stachowiak (RETIRED) gentoo-dev 2005-10-17 15:06:18 UTC
fixed in portage with two new versions 2.7.8 and 2.8.2 which contains fixes for
the vulnabirity.

2.6.x is not supported, we have no information if this can be even patched.
Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-10-17 22:53:16 UTC
Thx Radoslaw. 
 
Arches please test and mark stable. 
Comment 6 Gustavo Zacarias (RETIRED) gentoo-dev 2005-10-18 06:43:13 UTC
Hmm which version? 2.7.8 or 2.8.2?
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2005-10-18 06:50:34 UTC
Latest stable was 2.7.7, so 2.7.8 should probably be the stable target.
Comment 8 Gustavo Zacarias (RETIRED) gentoo-dev 2005-10-18 07:26:26 UTC
sparc stable.
Comment 9 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-10-18 11:08:44 UTC
ppc done.
Comment 10 Bryan Østergaard (RETIRED) gentoo-dev 2005-10-18 15:24:51 UTC
Alpha stable.
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2005-10-19 02:06:29 UTC
Not sure what this is about. Can't find anything clear in the Changelog... Maybe
that :

<<disabled ".. include" directive for all the ZReST product and the
reStructuredText package>>

Looks like a file inclusion issue... maybe local file disclosure ?

Radoslaw, any info ?
Comment 12 Radoslaw Stachowiak (RETIRED) gentoo-dev 2005-10-19 04:50:05 UTC
i think we can provide general information, about file inclusion, but give a
clear info that this allows to break security of the zope to untrusted users
through the web.
Comment 13 Radoslaw Stachowiak (RETIRED) gentoo-dev 2005-10-19 04:52:06 UTC
I also need to release 2.8.3 tonight, because there were some problems on
zope2.8.2 release (http://www.zope.org/Products/Zope/2.8.3/CHANGES.txt)
Comment 14 Radoslaw Stachowiak (RETIRED) gentoo-dev 2005-10-19 13:45:54 UTC
release 2.8.3
i suggest that advisory mention also that for 2.8.x branch upgrade to the 2.8.3
should be done.
Comment 15 Mark Loeser (RETIRED) gentoo-dev 2005-10-19 22:51:52 UTC
stable on x86
Comment 16 Thierry Carrez (RETIRED) gentoo-dev 2005-10-20 08:28:22 UTC
Radoslaw: removing/masking the 2.8.2 version is the best way to achieve the
result from comment #14. 

Technically >=2.8.2 is fixed (security-wise) so that's probably what we'll put
in the GLSA. They will pick up 2.8.3 naturally if 2.8.2 is missing...
Comment 17 Thierry Carrez (RETIRED) gentoo-dev 2005-10-21 08:18:58 UTC
amd64 still missing, should mark 2.7.8 stable
Comment 18 Simon Stelling (RETIRED) gentoo-dev 2005-10-23 04:48:08 UTC
amd64 stable, sorry for the delay
Comment 19 Thierry Carrez (RETIRED) gentoo-dev 2005-10-25 04:49:14 UTC
GLSA 200510-20