[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[linux-security] Zope vulnerabilities

To: linux-security
Subject: [linux-security] Zope vulnerabilities
From: Martin Siegert <siegert@sfu.ca>
Date: Thu, 21 Dec 2000 15:54:37 -0800
User-Agent: Mutt/1.2i

Topic
=====
Several vulnerabilities have been found recently in the zope package

Problem Description
===================
The Z Object Programming Environment (Zope) is a Python-based application
server for building high-performance, dynamic web sites, using a powerful
and simple scripting object model and high-performance, integrated object
database.

A vulnerablity exists in Zope where users can create new DTML method
instances through the Web without having the correct permissions.

Also, there exists a problem due to incorrect protection of data updating
for Image and File objects: any user with DTML editing privileges could
update the File or Image object data directly.

Affected Systems
================
Systems that have Zope installed (usually apache web servers).

Solution
========

Debian 2.2 (potato)
update to zope_2.1.6-5.4_i386.deb

Mandrake 7.1, 7.2
rpm -Fvh Zope-2.2.4-1.2mdk.i586.rpm \
         Zope-components-2.2.4-1.2mdk.i586.rpm \
         Zope-core-2.2.4-1.2mdk.i586.rpm \
         Zope-pcgi-2.2.4-1.2mdk.i586.rpm \
         Zope-services-2.2.4-1.2mdk.i586.rpm \
         Zope-zpublisher-2.2.4-1.2mdk.i586.rpm \
         Zope-zserver-2.2.4-1.2mdk.i586.rpm \
         Zope-ztemplates-2.2.4-1.2mdk.i586.rpm

RedHat 6.1, 6.2, 7.0
RedHat ships Zope as part of the powertools packages, not with its
standard distributions.
Ugrading is a two step process. First update to version 2.2.4-3 or 2.2.4-4:
RH 6.1, 6.2
rpm -Fvh Zope-2.2.4-3.i386.rpm \
         Zope-components-2.2.4-3.i386.rpm \
         Zope-core-2.2.4-3.i386.rpm \
         Zope-pcgi-2.2.4-3.i386.rpm \
         Zope-services-2.2.4-3.i386.rpm \
         Zope-zpublisher-2.2.4-3.i386.rpm \
         Zope-zserver-2.2.4-3.i386.rpm \
         Zope-ztemplates-2.2.4-3.i386.rpm
RH 7.0
rpm -Fvh Zope-2.2.4-4.i386.rpm \
         Zope-components-2.2.4-4.i386.rpm \
         Zope-core-2.2.4-4.i386.rpm \
         Zope-pcgi-2.2.4-4.i386.rpm \
         Zope-services-2.2.4-4.i386.rpm \
         Zope-zpublisher-2.2.4-4.i386.rpm \
         Zope-zserver-2.2.4-4.i386.rpm \
         Zope-ztemplates-2.2.4-4.i386.rpm  
and then apply the following hotfix:
rpm -Fvh Zope-Hotfix-localroles-2000_12_15a-1.noarch.rpm

Prev by Date: [linux-security] stunnel format bug
Next by Date: [linux-security] DoS in rp-pppoe package
Prev by thread: [linux-security] DoS in rp-pppoe package
Next by thread: [linux-security] stunnel format bug
Index(es):
- Date
- Thread