Debian Bug report logs - #377277
Zope2 contains information disclosure vulnerability

version graph

Package: zope2.8; Maintainer for zope2.8 is (unknown);

Reported by: Neil McGovern <neilm@debian.org>

Date: Fri, 7 Jul 2006 20:18:02 UTC

Severity: critical

Tags: security

Found in version zope2.8/2.8.7-1

Fixed in version zope2.8/2.8.7-2

Done: Fabio Tranchitella <kobold@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian/Ubuntu Zope Team <pkg-zope-developers@lists.alioth.debian.org>:
Bug#377277; Package zope2.8. Full text and rfc822 format available.

Acknowledgement sent to Neil McGovern <neilm@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian/Ubuntu Zope Team <pkg-zope-developers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Neil McGovern <neilm@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Zope2 contains information disclosure vulnerability
Date: Fri, 07 Jul 2006 20:53:00 +0100
Package: zope2.8
Version: 2.8.7-1
Severity: critical
Tags: security

Hi there,

http://www.zope.org/Products/Zope/Hotfix-2006-07-05/Hotfix-20060705/README.txt
has been released today which contains details of a information
disclosure vulnerability in Zope2, due to Zope2's use of the docutils
module to parse and render "restructured text".

A hotfix is available at
http://www.zope.org/Products/Zope/Hotfix-2006-07-05/Hotfix-20060705

I've asked for a CVE id, and will follow up once it's been received.

Could you start to prepare a package?

Many thanks,
Neil McGovern



Bug 377277 cloned as bugs 377285, 377286. Request was from Neil McGovern <neilm@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian/Ubuntu Zope Team <pkg-zope-developers@lists.alioth.debian.org>:
Bug#377277; Package zope2.8. Full text and rfc822 format available.

Acknowledgement sent to Neil McGovern <neilm@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian/Ubuntu Zope Team <pkg-zope-developers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #12 received at 377277@bugs.debian.org (full text, mbox):

From: Neil McGovern <neilm@debian.org>
To: 377285@bugs.debian.org, 377277@bugs.debian.org, 377286@bugs.debian.org
Subject: Mitre ID
Date: Sat, 8 Jul 2006 09:17:49 +0100
Hi there,

This has been given a Mitre ID CVE-2006-3458.

Please mention this in changelogs.

Cheers,
Neil
-- 
A. Because it breaks the logical sequence of discussion
Q. Why is top posting bad?
gpg key - http://www.halon.org.uk/pubkey.txt ; the.earth.li B345BDD3



Information forwarded to debian-bugs-dist@lists.debian.org, Debian/Ubuntu Zope Team <pkg-zope-developers@lists.alioth.debian.org>:
Bug#377277; Package zope2.8. Full text and rfc822 format available.

Acknowledgement sent to Fabio Tranchitella <kobold@kobold.it>:
Extra info received and forwarded to list. Copy sent to Debian/Ubuntu Zope Team <pkg-zope-developers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #17 received at 377277@bugs.debian.org (full text, mbox):

From: Fabio Tranchitella <kobold@kobold.it>
To: Neil McGovern <neilm@debian.org>, 377277@bugs.debian.org
Cc: 377285@bugs.debian.org, 377286@bugs.debian.org
Subject: Re: [Pkg-zope-developers] Bug#377277: Mitre ID
Date: Mon, 10 Jul 2006 16:47:26 +0200
[Message part 1 (text/plain, inline)]
Il giorno sab, 08/07/2006 alle 09.17 +0100, Neil McGovern ha scritto:
> Hi there,
> 
> This has been given a Mitre ID CVE-2006-3458.
> Please mention this in changelogs.
> 
> Cheers,
> Neil

Hi Neil, 
  thanks for your reports, but I have some hardware problems and I won't
be able to work on these issues untill the week-end.

Best regards,

-- 
Fabio Tranchitella                         http://www.kobold.it
Free Software Developer and Consultant     http://www.tranchitella.it
_____________________________________________________________________
1024D/7F961564, fpr 5465 6E69 E559 6466 BF3D 9F01 2BF8 EE2B 7F96 1564
[signature.asc (application/pgp-signature, inline)]

Reply sent to Fabio Tranchitella <kobold@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Neil McGovern <neilm@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #22 received at 377277-close@bugs.debian.org (full text, mbox):

From: Fabio Tranchitella <kobold@debian.org>
To: 377277-close@bugs.debian.org
Subject: Bug#377277: fixed in zope2.8 2.8.7-2
Date: Tue, 11 Jul 2006 07:47:20 -0700
Source: zope2.8
Source-Version: 2.8.7-2

We believe that the bug you reported is fixed in the latest version of
zope2.8, which is due to be installed in the Debian FTP archive:

zope2.8-sandbox_2.8.7-2_all.deb
  to pool/main/z/zope2.8/zope2.8-sandbox_2.8.7-2_all.deb
zope2.8_2.8.7-2.diff.gz
  to pool/main/z/zope2.8/zope2.8_2.8.7-2.diff.gz
zope2.8_2.8.7-2.dsc
  to pool/main/z/zope2.8/zope2.8_2.8.7-2.dsc
zope2.8_2.8.7-2_i386.deb
  to pool/main/z/zope2.8/zope2.8_2.8.7-2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 377277@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Fabio Tranchitella <kobold@debian.org> (supplier of updated zope2.8 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 11 Jul 2006 16:21:23 +0200
Source: zope2.8
Binary: zope2.8 zope2.8-sandbox
Architecture: source i386 all
Version: 2.8.7-2
Distribution: unstable
Urgency: high
Maintainer: Debian/Ubuntu Zope Team <pkg-zope-developers@lists.alioth.debian.org>
Changed-By: Fabio Tranchitella <kobold@debian.org>
Description: 
 zope2.8    - Open Source Web Application Server
 zope2.8-sandbox - sandbox instance for the zope2.8 web application server
Closes: 377277
Changes: 
 zope2.8 (2.8.7-2) unstable; urgency=high
 .
   * Fixed an information disclosure vulnerability (CVE-2006-3458) applying
     upstream patch: disable reStructuredText's 'raw' and 'include' directives.
     (Closes: #377277)
Files: 
 6781648e147294e35496bcbd1fce6fd3 849 web optional zope2.8_2.8.7-2.dsc
 a07489c44f3b91163b8fcda8f0f8d729 13571 web optional zope2.8_2.8.7-2.diff.gz
 f27cb89d30950188295006deb33ac558 5523130 web optional zope2.8_2.8.7-2_i386.deb
 f5155791e9b9cb2826190f88d38a8aa6 22252 web optional zope2.8-sandbox_2.8.7-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEs7WjK/juK3+WFWQRAtIbAJ9Hjyg87QUBQdoBT5eL2OvGvq4jIACfXSoC
mGA56xOYw0z01zekF9KDa08=
=LGj5
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 18 Jun 2007 19:54:28 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 08:22:44 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.