Debian Bug report logs - #334054
zope: security issue with docutils wrt RestructuredText functionalities (Zope Hotfix 2005-10-09)

Package: zope; Maintainer for zope is (unknown);

Reported by: Jens Nachtigall <nachtigall@web.de>

Date: Sat, 15 Oct 2005 09:18:08 UTC

Severity: grave

Tags: security

Done: Fabio Tranchitella <fabio@tranchitella.it>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Zope team <pkg-zope-developers@lists.alioth.debian.org>:
Bug#334054; Package zope. Full text and rfc822 format available.

Acknowledgement sent to Jens Nachtigall <nachtigall@web.de>:
New Bug report received and forwarded. Copy sent to Debian Zope team <pkg-zope-developers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Jens Nachtigall <nachtigall@web.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: zope: security issue with docutils wrt RestructuredText functionalities (Zope Hotfix 2005-10-09)
Date: Sat, 15 Oct 2005 11:11:15 +0200
Package: zope
Severity: grave
Justification: user security hole

A security hole has been discovered:
http://www.zope.org/Products/Zope/Hotfix_2005-10-09/security_alert

Fixes are available for 2.7 and 2.8, don't know how easy it is to
backport these.


-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.8jens01-ifplugd-b44
Locale: LANG=de_DE@euro, LC_CTYPE=de_DE@euro (charmap=ISO-8859-15)



Tags added: security Request was from Philipp Hug <debian@hug.cx> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Zope team <pkg-zope-developers@lists.alioth.debian.org>:
Bug#334054; Package zope. Full text and rfc822 format available.

Acknowledgement sent to mennucc1@debian.org:
Extra info received and forwarded to list. Copy sent to Debian Zope team <pkg-zope-developers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #12 received at 334054@bugs.debian.org (full text, mbox):

From: debdev@tonelli.sns.it (A Mennucc)
To: 334054@bugs.debian.org
Subject: fwd: [debdev: zope2.7 security fix (for bug 334055)]
Date: Wed, 9 Nov 2005 14:49:00 +0100
[Message part 1 (text/plain, inline)]
I think it is better it this email is also part of this bug report
(this email was sent on Oct 21)

----- Forwarded message from debdev -----

To: debian-devel@lists.debian.org
Cc: pkg-zope-developers@lists.alioth.debian.org
Subject: zope2.7 security fix  (for bug 334055)
Reply-To: mennucc1@debian.org
Mail-Followup-To: mennucc1@debian.org

hi everybody

I have (hopefully) fixed the bug 334055 of  zope2.7, that is  a security alert.

Note that my patch is much smaller than the original hotfix,
which included also some new features such as nl and ca languages -
- but usually we do not add new features in Debian when releasing security
upgrades.

--------- testing

This is the updated binary for testing/etch
http://tonelli.sns.it/pub/mennucc1/zope/debian/etch-security/zope2.7_2.7.5-3sec1.deb

I will not upload it to secure-testing-master since it violates point 1 at
http://secure-testing-master.debian.net/ 
"Only upload changes that have already been made in unstable."
People in the pkg-zope-team are  introducing in unstable a completely
different zope framework.

--------- sarge

This is the proposed update for stable/sarge :
http://tonelli.sns.it/pub/mennucc1/zope/debian/sarge-security/zope2.7_2.7.5-2sec1_source.changes
unfortunately I do not have available a clean sarge environment, so
you have to compile it.

This is the diff w.r.t the older version
http://tonelli.sns.it/pub/mennucc1/zope/debian/sarge-security/zope-hotfix_2005-10-09-sarge.diff

Warning: do not apply that patch to the installed files of zope2.7,
it will not work. Compile the above source, or help me use a sarge buildd.

a.

ps: I wrote to the security team asking info on the sarge upload, never
 got an answer.  Question: can I upload a source-only to sarge-security?

ps2: I would also appreciate if someone who understands what 334055 is about
 would compile and test my fix to see if it really works.


----- End forwarded message -----
[signature.asc (application/pgp-signature, inline)]

Reply sent to Fabio Tranchitella <fabio@tranchitella.it>:
You have taken responsibility. (Tue, 18 Nov 2008 19:51:54 GMT) Full text and rfc822 format available.

Notification sent to Jens Nachtigall <nachtigall@web.de>:
Bug acknowledged by developer. (Tue, 18 Nov 2008 19:51:54 GMT) Full text and rfc822 format available.

Message #17 received at 334054-done@bugs.debian.org (full text, mbox):

From: Fabio Tranchitella <fabio@tranchitella.it>
To: 120499-done@bugs.debian.org, 188949-done@bugs.debian.org, 192518-done@bugs.debian.org, 199531-done@bugs.debian.org, 214830-done@bugs.debian.org, 219634-done@bugs.debian.org, 221265-done@bugs.debian.org, 221722-done@bugs.debian.org, 223072-done@bugs.debian.org, 229664-done@bugs.debian.org, 238878-done@bugs.debian.org, 244644-done@bugs.debian.org, 273028-done@bugs.debian.org, 279323-done@bugs.debian.org, 291935-done@bugs.debian.org, 295521-done@bugs.debian.org, 310644-done@bugs.debian.org, 312283-done@bugs.debian.org, 324292-done@bugs.debian.org, 334054-done@bugs.debian.org, 351493-done@bugs.debian.org, 397421-done@bugs.debian.org, 405711-done@bugs.debian.org
Subject: Closing old zope bugs
Date: Tue, 18 Nov 2008 20:50:02 +0100
Hello,

I'm closing this bug report because it refers to the old zope (2.6) package
and the current zope in testing/unstable (2.10) doesn't show this problem.

-- 
Fabio Tranchitella                         http://www.kobold.it
Free Software Developer and Consultant     http://www.tranchitella.it
_____________________________________________________________________
1024D/7F961564, fpr 5465 6E69 E559 6466 BF3D 9F01 2BF8 EE2B 7F96 1564




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 17 Dec 2008 07:28:46 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 24 06:48:42 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.