|
Vulnerability zope Affected zope Description Security Advisory was released which indicated Erik Enge found a problem in the way Zope calculates roles. In some situations Zope checked the wrong folder hierarchy which could cause it to grant local roles when it should not. In other words: users with privileges in one folder could gain privileges in another folder. Another security alert was released revealing a potential problem found by Peter Kelly. This problem involved incorrect protection of data updating for Image and File objects: any user with DTML editing privileges could update the File or Image object data directly. Aleksander Salwa has brought a security issue to that affects all Zope versions up to and including Zope 2.2.4. The issue involves security registration of "legacy" names for certain object constructors such as the constructors for DTML Method objects. Security was not being applied correctly for the legacy names, making it possible to call those constructors without the permissions that should have been required. This issue could allow anonymous users with enough internal knowledge of Zope to instantiate new DTML Method instances through the Web. Only Zope-2.2.0 and up are affected. Solution For Debian: http://security.debian.org/dists/stable/updates/main/source/zope_2.1.6-5.4.diff.gz http://security.debian.org/dists/stable/updates/main/source/zope_2.1.6-5.4.dsc http://security.debian.org/dists/stable/updates/main/source/zope_2.1.6.orig.tar.gz http://security.debian.org/dists/stable/updates/main/binary-alpha/zope_2.1.6-5.4_alpha.deb http://security.debian.org/dists/stable/updates/main/binary-arm/zope_2.1.6-5.4_arm.deb http://security.debian.org/dists/stable/updates/main/binary-i386/zope_2.1.6-5.4_i386.deb http://security.debian.org/dists/stable/updates/main/binary-m68k/zope_2.1.6-5.4_m68k.deb http://security.debian.org/dists/stable/updates/main/binary-powerpc/zope_2.1.6-5.4_powerpc.deb http://security.debian.org/dists/stable/updates/main/binary-sparc/zope_2.1.6-5.4_sparc.deb For RedHat: ftp://updates.redhat.com/powertools/6.2/alpha/Zope-2.2.4-3.alpha.rpm ftp://updates.redhat.com/powertools/6.2/alpha/Zope-components-2.2.4-3.alpha.rpm ftp://updates.redhat.com/powertools/6.2/alpha/Zope-core-2.2.4-3.alpha.rpm ftp://updates.redhat.com/powertools/6.2/alpha/Zope-pcgi-2.2.4-3.alpha.rpm ftp://updates.redhat.com/powertools/6.2/alpha/Zope-services-2.2.4-3.alpha.rpm ftp://updates.redhat.com/powertools/6.2/alpha/Zope-zpublisher-2.2.4-3.alpha.rpm ftp://updates.redhat.com/powertools/6.2/alpha/Zope-zserver-2.2.4-3.alpha.rpm ftp://updates.redhat.com/powertools/6.2/alpha/Zope-ztemplates-2.2.4-3.alpha.rpm ftp://updates.redhat.com/powertools/6.2/sparc/Zope-2.2.4-3.sparc.rpm ftp://updates.redhat.com/powertools/6.2/sparc/Zope-components-2.2.4-3.sparc.rpm ftp://updates.redhat.com/powertools/6.2/sparc/Zope-core-2.2.4-3.sparc.rpm ftp://updates.redhat.com/powertools/6.2/sparc/Zope-pcgi-2.2.4-3.sparc.rpm ftp://updates.redhat.com/powertools/6.2/sparc/Zope-services-2.2.4-3.sparc.rpm ftp://updates.redhat.com/powertools/6.2/sparc/Zope-zpublisher-2.2.4-3.sparc.rpm ftp://updates.redhat.com/powertools/6.2/sparc/Zope-zserver-2.2.4-3.sparc.rpm ftp://updates.redhat.com/powertools/6.2/sparc/Zope-ztemplates-2.2.4-3.sparc.rpm ftp://updates.redhat.com/powertools/6.2/i386/Zope-2.2.4-3.i386.rpm ftp://updates.redhat.com/powertools/6.2/i386/Zope-components-2.2.4-3.i386.rpm ftp://updates.redhat.com/powertools/6.2/i386/Zope-core-2.2.4-3.i386.rpm ftp://updates.redhat.com/powertools/6.2/i386/Zope-pcgi-2.2.4-3.i386.rpm ftp://updates.redhat.com/powertools/6.2/i386/Zope-services-2.2.4-3.i386.rpm ftp://updates.redhat.com/powertools/6.2/i386/Zope-zpublisher-2.2.4-3.i386.rpm ftp://updates.redhat.com/powertools/6.2/i386/Zope-zserver-2.2.4-3.i386.rpm ftp://updates.redhat.com/powertools/6.2/i386/Zope-ztemplates-2.2.4-3.i386.rpm ftp://updates.redhat.com/powertools/6.2/SRPMS/Zope-2.2.4-3.src.rpm ftp://updates.redhat.com/powertools/7.0/alpha/Zope-2.2.4-4.alpha.rpm ftp://updates.redhat.com/powertools/7.0/alpha/Zope-components-2.2.4-4.alpha.rpm ftp://updates.redhat.com/powertools/7.0/alpha/Zope-core-2.2.4-4.alpha.rpm ftp://updates.redhat.com/powertools/7.0/alpha/Zope-pcgi-2.2.4-4.alpha.rpm ftp://updates.redhat.com/powertools/7.0/alpha/Zope-services-2.2.4-4.alpha.rpm ftp://updates.redhat.com/powertools/7.0/alpha/Zope-zpublisher-2.2.4-4.alpha.rpm ftp://updates.redhat.com/powertools/7.0/alpha/Zope-zserver-2.2.4-4.alpha.rpm ftp://updates.redhat.com/powertools/7.0/alpha/Zope-ztemplates-2.2.4-4.alpha.rpm ftp://updates.redhat.com/powertools/7.0/i386/Zope-2.2.4-4.i386.rpm ftp://updates.redhat.com/powertools/7.0/i386/Zope-components-2.2.4-4.i386.rpm ftp://updates.redhat.com/powertools/7.0/i386/Zope-core-2.2.4-4.i386.rpm ftp://updates.redhat.com/powertools/7.0/i386/Zope-pcgi-2.2.4-4.i386.rpm ftp://updates.redhat.com/powertools/7.0/i386/Zope-services-2.2.4-4.i386.rpm ftp://updates.redhat.com/powertools/7.0/i386/Zope-zpublisher-2.2.4-4.i386.rpm ftp://updates.redhat.com/powertools/7.0/i386/Zope-zserver-2.2.4-4.i386.rpm ftp://updates.redhat.com/powertools/7.0/i386/Zope-ztemplates-2.2.4-4.i386.rpm ftp://updates.redhat.com/powertools/7.0/SRPMS/Zope-2.2.4-4.src.rpm ftp://updates.redhat.com/powertools/6.2/SRPMS/Zope-Hotfix-DTML-2000_12_18-1.src.rpm ftp://updates.redhat.com/powertools/6.2/noarch/Zope-Hotfix-DTML-2000_12_18-1.noarch.rpm ftp://updates.redhat.com/powertools/7.0/SRPMS/Zope-Hotfix-DTML-2000_12_18-1.src.rpm ftp://updates.redhat.com/powertools/7.0/noarch/Zope-Hotfix-DTML-2000_12_18-1.noarch.rpm For Linux-Mandrake: Linux-Mandrake 7.1: 7.1/RPMS/Zope-2.2.4-1.2mdk.i586.rpm 7.1/RPMS/Zope-components-2.2.4-1.2mdk.i586.rpm 7.1/RPMS/Zope-core-2.2.4-1.2mdk.i586.rpm 7.1/RPMS/Zope-pcgi-2.2.4-1.2mdk.i586.rpm 7.1/RPMS/Zope-services-2.2.4-1.2mdk.i586.rpm 7.1/RPMS/Zope-zpublisher-2.2.4-1.2mdk.i586.rpm 7.1/RPMS/Zope-zserver-2.2.4-1.2mdk.i586.rpm 7.1/RPMS/Zope-ztemplates-2.2.4-1.2mdk.i586.rpm 7.1/SRPMS/Zope-2.2.4-1.2mdk.src.rpm Linux-Mandrake 7.2: 7.2/RPMS/Zope-2.2.4-1.2mdk.i586.rpm 7.2/RPMS/Zope-components-2.2.4-1.2mdk.i586.rpm 7.2/RPMS/Zope-core-2.2.4-1.2mdk.i586.rpm 7.2/RPMS/Zope-pcgi-2.2.4-1.2mdk.i586.rpm 7.2/RPMS/Zope-services-2.2.4-1.2mdk.i586.rpm 7.2/RPMS/Zope-zpublisher-2.2.4-1.2mdk.i586.rpm 7.2/RPMS/Zope-zserver-2.2.4-1.2mdk.i586.rpm 7.2/RPMS/Zope-ztemplates-2.2.4-1.2mdk.i586.rpm 7.2/SRPMS/Zope-2.2.4-1.2mdk.src.rpm For FreeBSD: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/www/zope-2.2.4.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/www/zope-2.2.4.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/www/zope-2.2.4.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/www/zope-2.2.4.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/www/zope-2.2.4.tgz The hotfix for this issue is available on the zope.org web site: http://www.zope.org/Products/Zope/Hotfix_2000-12-08/Hotfix_2000-12-08.tgz