Debian Bug report logs - #334055
zope2.7: security issue with docutils wrt RestructuredText functionalities (Zope Hotfix 2005-10-09)

version graph

Package: zope2.7; Maintainer for zope2.7 is (unknown);

Reported by: Jens Nachtigall <nachtigall@web.de>

Date: Sat, 15 Oct 2005 09:18:10 UTC

Severity: grave

Tags: security

Found in version zope2.7/2.7.5-2

Fixed in versions zope2.7/2.7.8-1, 2.7.5-2sarge1

Done: A Mennucc <debdev@mennucci.sns.it>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Zope team <pkg-zope-developers@lists.alioth.debian.org>:
Bug#334055; Package zope2.7. Full text and rfc822 format available.

Acknowledgement sent to Jens Nachtigall <nachtigall@web.de>:
New Bug report received and forwarded. Copy sent to Debian Zope team <pkg-zope-developers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Jens Nachtigall <nachtigall@web.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: zope2.7: security issue with docutils wrt RestructuredText functionalities (Zope Hotfix 2005-10-09)
Date: Sat, 15 Oct 2005 11:13:17 +0200
Package: zope2.7
Severity: grave
Justification: user security hole

Please see:
http://www.zope.org/Products/Zope/Hotfix_2005-10-09/security_alert

A patch for 2.7 is available there.


-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.8jens01-ifplugd-b44
Locale: LANG=de_DE@euro, LC_CTYPE=de_DE@euro (charmap=ISO-8859-15)



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Zope team <pkg-zope-developers@lists.alioth.debian.org>:
Bug#334055; Package zope2.7. Full text and rfc822 format available.

Acknowledgement sent to mennucc1@debian.org:
Extra info received and forwarded to list. Copy sent to Debian Zope team <pkg-zope-developers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #10 received at 334055@bugs.debian.org (full text, mbox):

From: debdev@tonelli.sns.it (A Mennucc)
To: pkg-zope-developers@lists.alioth.debian.org
Cc: 334055@bugs.debian.org, security@debian.org
Subject: zope2.7 security fix (bug 334055 )
Date: Mon, 17 Oct 2005 11:08:49 +0200
[Message part 1 (text/plain, inline)]
hi

I have (hopefully) fixed  the bug 334055 that is  a security alert.

This is the proposed update for sarge :
 http://tonelli.sns.it/pub/mennucc1/zope/debian/sarge-security/zope2.7_2.7.5-2sec1_source.changes

This is the proposed update for etch :
 http://tonelli.sns.it/pub/mennucc1/zope/debian/etch-security/zope2.7_2.7.5-3sec1_source.changes

This is the patch that I applied :
 http://tonelli.sns.it/pub/mennucc1/zope/debian/sarge-security/zope-hotfix_2005-10-09-sarge.diff

Note that my patch is much smaller than the original hotfix :
 http://tonelli.sns.it/pub/mennucc1/zope/debian/sarge-security/zope-hotfix_2005-10-09-upstream.diff
which included also some new features such as nl and ca languages -
- but usually we do not add new features in Debian when releasing security
upgrades.

Unfortunately all the above is source-only : I do not have here available
a clean pure Sarge or Etch build environment.

Can I upload a source-only in stable-security and testing-security ?

I have made available a binary version:
I compiled the etch source (and I am happily running it), it is available at 
http://tonelli.sns.it/pub/mennucc1/zope/debian/tmp/zope2.7_2.7.5-3sec1_i386.deb
but it was compiled on my PC that is a mixture of sarge and etch,
so it may miswork both in sarge and in etch  :-( .

I would also appreciate if someone who understands what 334055 is about 
would compile and test my fix to see if it works.

a.

-- 
Andrea Mennucc
 "Ukn ow,Ifina llyfixe dmysp acebar.ohwh atthef"
[signature.asc (application/pgp-signature, inline)]

Reply sent to Fabio Tranchitella <kobold@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Jens Nachtigall <nachtigall@web.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #15 received at 334055-close@bugs.debian.org (full text, mbox):

From: Fabio Tranchitella <kobold@debian.org>
To: 334055-close@bugs.debian.org
Subject: Bug#334055: fixed in zope2.7 2.7.8-1
Date: Sun, 23 Oct 2005 16:50:14 -0700
Source: zope2.7
Source-Version: 2.7.8-1

We believe that the bug you reported is fixed in the latest version of
zope2.7, which is due to be installed in the Debian FTP archive:

zope2.7-sandbox_2.7.8-1_all.deb
  to pool/main/z/zope2.7/zope2.7-sandbox_2.7.8-1_all.deb
zope2.7_2.7.8-1.diff.gz
  to pool/main/z/zope2.7/zope2.7_2.7.8-1.diff.gz
zope2.7_2.7.8-1.dsc
  to pool/main/z/zope2.7/zope2.7_2.7.8-1.dsc
zope2.7_2.7.8-1_i386.deb
  to pool/main/z/zope2.7/zope2.7_2.7.8-1_i386.deb
zope2.7_2.7.8.orig.tar.gz
  to pool/main/z/zope2.7/zope2.7_2.7.8.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 334055@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Fabio Tranchitella <kobold@debian.org> (supplier of updated zope2.7 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 23 Oct 2005 23:16:22 +0000
Source: zope2.7
Binary: zope2.7 zope2.7-sandbox
Architecture: source i386 all
Version: 2.7.8-1
Distribution: unstable
Urgency: low
Maintainer: Debian/Ubuntu Zope Team <pkg-zope-developers@lists.alioth.debian.org>
Changed-By: Fabio Tranchitella <kobold@debian.org>
Description: 
 zope2.7    - Open Source Web Application Server
 zope2.7-sandbox - sandbox instance for the zope2.7 web application server
Closes: 284462 313621 313621 313644 321405 324438 324439 329380 331726 332177 334055
Changes: 
 zope2.7 (2.7.8-1) unstable; urgency=low
 .
   * New upstream release (2.7.8), which closes a security hole within
     RestructuredText functionalities. (Closes: #334055)
   * debian/patches/deb-zope.conf: fixed a local security bug within
     mkzopeinstance. (Closes: #313644, #313621)
   * debian/patches/zope-sortex.dpatch: fixed bug with the function
     strcoll_nocase. (Closes: #329380)
   * debian/control: depends on debconf | debconf-2.0. (Closes: #332177)
   * Starting from this release, we won't ship anymore mkzope2.7instance
     in unstable. (Closes: #313621)
   * We do not provide templates anymore, they have been moved to zope-common.
     (Closes: #324438, #324439, #331726)
   * Close fixed-in-experimental bug reports. (Closes: #321405, #284462)
   * debian/control: set maintainer as Debian/Ubuntu Zope Team.
Files: 
 b671a639e822e0fc2f4d71b11d93d31a 850 web optional zope2.7_2.7.8-1.dsc
 7e0eaefe7e0b9a753f1dee7a73a0aca5 2952102 web optional zope2.7_2.7.8.orig.tar.gz
 65f0bf6d19e3ea7996c6c8a02f09929b 29619 web optional zope2.7_2.7.8-1.diff.gz
 efb25d0908abc7f8fd4f3adf61276422 2614030 web optional zope2.7_2.7.8-1_i386.deb
 93484f0c9d7117b2cf5a5c5c99e3c264 47740 web optional zope2.7-sandbox_2.7.8-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDXByzK/juK3+WFWQRAu0PAJwLutVDeLVKWvwfoc2sB5+2sLUrQwCgk7jQ
H0ytTdNpWq+is9SmrJP9y5c=
=EPb6
-----END PGP SIGNATURE-----




Tags added: security Request was from Moritz Muehlenhoff <jmm@inutil.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug marked as found in version 2.7.5-2. Request was from debdev@tonelli.sns.it (A Mennucc) to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to A Mennucc <debdev@mennucci.sns.it>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Jens Nachtigall <nachtigall@web.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #24 received at 334055-done@bugs.debian.org (full text, mbox):

From: A Mennucc <debdev@mennucci.sns.it>
To: 334055-done@bugs.debian.org
Subject: new security release fixed security hole
Date: Sat, 26 Nov 2005 10:50:43 +0100
Version: 2.7.5-2sarge1
Zope Hotfix 2005-10-09) [CVE-2005-3323, Bug#334055  
were all fixed in release 2.7.5-2sarge1  for sarge



Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 18 Jun 2007 09:01:20 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 12:33:03 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.