Hotfix 2005-10-09 Alert This hotfix addresses an important security issue that affects users of Zope versions 2.6 or higher. This hotfix resolves a security issue with docutils. Affected are possibly all Zope instances that expose RestructuredText functionalies to untrusted users through the web.
net-zope herd, please apply hotfix
Also in : http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=334054 zope team, please bump. If you find what is the impact of the flaw please comment.
will do today.
fixed in portage with two new versions 2.7.8 and 2.8.2 which contains fixes for the vulnabirity. 2.6.x is not supported, we have no information if this can be even patched.
Thx Radoslaw. Arches please test and mark stable.
Hmm which version? 2.7.8 or 2.8.2?
Latest stable was 2.7.7, so 2.7.8 should probably be the stable target.
sparc stable.
ppc done.
Alpha stable.
Not sure what this is about. Can't find anything clear in the Changelog... Maybe that : <<disabled ".. include" directive for all the ZReST product and the reStructuredText package>> Looks like a file inclusion issue... maybe local file disclosure ? Radoslaw, any info ?
i think we can provide general information, about file inclusion, but give a clear info that this allows to break security of the zope to untrusted users through the web.
I also need to release 2.8.3 tonight, because there were some problems on zope2.8.2 release (http://www.zope.org/Products/Zope/2.8.3/CHANGES.txt)
release 2.8.3 i suggest that advisory mention also that for 2.8.x branch upgrade to the 2.8.3 should be done.
stable on x86
Radoslaw: removing/masking the 2.8.2 version is the best way to achieve the result from comment #14. Technically >=2.8.2 is fixed (security-wise) so that's probably what we'll put in the GLSA. They will pick up 2.8.3 naturally if 2.8.2 is missing...
amd64 still missing, should mark 2.7.8 stable
amd64 stable, sorry for the delay
GLSA 200510-20