Debian Bug report logs - #416500
[mj@zopatista.com: [Zope-Annce] Hotfix for cross-site scripting vulnerability]

version graph

Package: zope2.7; Maintainer for zope2.7 is (unknown);

Reported by: Bastian Blank <bastian@waldi.eu.org>

Date: Tue, 20 Mar 2007 11:57:01 UTC

Severity: important

Tags: security

Fixed in version zope2.7/2.7.5-2sarge4

Done: Jérémy Bobbio <lunar@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian/Ubuntu Zope Team <pkg-zope-developers@lists.alioth.debian.org>:
Bug#415564; Package zope2.9. Full text and rfc822 format available.

Acknowledgement sent to Bastian Blank <bastian@waldi.eu.org>:
New Bug report received and forwarded. Copy sent to Debian/Ubuntu Zope Team <pkg-zope-developers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Bastian Blank <bastian@waldi.eu.org>
To: submit@bugs.debian.org
Subject: [mj@zopatista.com: [Zope-Annce] Hotfix for cross-site scripting vulnerability]
Date: Tue, 20 Mar 2007 12:46:19 +0100
[Message part 1 (text/plain, inline)]
Package: zope2.9
Version: 2.9.6-4
Severity: important
Tags: security

----- Forwarded message from Martijn Pieters <mj@zopatista.com> -----

To: Zope Announce <zope-announce@zope.org>
From: Martijn Pieters <mj@zopatista.com>
Date: Tue, 20 Mar 2007 09:40:30 +0100
Subject: [Zope-Annce] Hotfix for cross-site scripting vulnerability

A vulnerability has been discovered in Zope, where by certain types of
misuse of HTTP GET, an attacker could gain elevated privileges. All
Zope versions up to and including 2.10.2 are affected.

Overview

   This hotfix removes the exploit by mandating that security setting
   alterations can only be made through POST requests. This  
vulnerability
   has been fixed in the Zope 2.8, 2.9 and 2.10 branches and all future
   releases of Zope will include this fix.

   Do note that this patch only affects direct requests to the security
   methods; any 3rd-party code that calls these methods indirectly may
   still be affected.

Hotfix

   We have prepared a hot fix for this problem
   at:

   "http://www.zope.org/Products/Zope/Hotfix-2007-03-20/ 
Hotfix-20070320/",
    http://www.zope.org/Products/Zope/Hotfix-2007-03-20/ 
Hotfix-20070320/.

   This hotfix should be installed as soon as possible.

   To install, simply extract the archive into your Products
   directory in your Zope installation.

   See: "http://www.zope.org/Products/Zope/Hotfix-2007-03-20/ 
Hotfix-20070320/README.txt",
         http://www.zope.org/Products/Zope/Hotfix-2007-03-20/ 
Hotfix-20070320/README.txt,

   for installation instructions.

----- End forwarded message -----

-- 
But Captain -- the engines can't take this much longer!
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian/Ubuntu Zope Team <pkg-zope-developers@lists.alioth.debian.org>:
Bug#415564; Package zope2.9. Full text and rfc822 format available.

Acknowledgement sent to Jérémy Bobbio <lunar@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian/Ubuntu Zope Team <pkg-zope-developers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #10 received at 415564@bugs.debian.org (full text, mbox):

From: Jérémy Bobbio <lunar@debian.org>
To: 415564@bugs.debian.org
Cc: control@bugs.debian.org
Subject: zope2.7 is affected as well
Date: Wed, 28 Mar 2007 14:42:17 +0200
[Message part 1 (text/plain, inline)]
clone 415564 -1
reassign -1 zope2.7
thanks

zope2.7 in stable is affected as well as visible in the attached results
from the unit tests shipped with the hotfix.

A backport of the hotfix is thus needed to get a security update for
stable.

Cheers,
-- 
Jérémy Bobbio                        .''`. 
lunar@debian.org                    : :Ⓐ  :  # apt-get install anarchism
                                    `. `'` 
                                      `-   
[zope2.7-test_hotfix-results.txt (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Bug 415564 cloned as bug 416500. Request was from Jérémy Bobbio <lunar@debian.org> to control@bugs.debian.org. (Wed, 28 Mar 2007 12:45:04 GMT) Full text and rfc822 format available.

Bug reassigned from package `zope2.9' to `zope2.7'. Request was from Jérémy Bobbio <lunar@debian.org> to control@bugs.debian.org. (Wed, 28 Mar 2007 12:45:07 GMT) Full text and rfc822 format available.

Reply sent to Jérémy Bobbio <lunar@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Bastian Blank <bastian@waldi.eu.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #19 received at 416500-close@bugs.debian.org (full text, mbox):

From: Jérémy Bobbio <lunar@debian.org>
To: 416500-close@bugs.debian.org
Subject: Bug#416500: fixed in zope2.7 2.7.5-2sarge4
Date: Sat, 07 Apr 2007 13:14:28 +0000
Source: zope2.7
Source-Version: 2.7.5-2sarge4

We believe that the bug you reported is fixed in the latest version of
zope2.7, which is due to be installed in the Debian FTP archive:

zope2.7_2.7.5-2sarge4.diff.gz
  to pool/main/z/zope2.7/zope2.7_2.7.5-2sarge4.diff.gz
zope2.7_2.7.5-2sarge4.dsc
  to pool/main/z/zope2.7/zope2.7_2.7.5-2sarge4.dsc
zope2.7_2.7.5-2sarge4_i386.deb
  to pool/main/z/zope2.7/zope2.7_2.7.5-2sarge4_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 416500@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jérémy Bobbio <lunar@debian.org> (supplier of updated zope2.7 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 28 Mar 2007 16:49:59 +0200
Source: zope2.7
Binary: zope2.7
Architecture: source i386
Version: 2.7.5-2sarge4
Distribution: stable-security
Urgency: high
Maintainer: Debian Zope team <pkg-zope-developers@lists.alioth.debian.org>
Changed-By: Jérémy Bobbio <lunar@debian.org>
Description: 
 zope2.7    - Open Source Web Application Server
Closes: 416500
Changes: 
 zope2.7 (2.7.5-2sarge4) stable-security; urgency=high
 .
   * SECURITY UPDATE: Prevent privileges elevation through misuse of HTTP GET.
     Refs: http://www.zope.org/Products/Zope/Hotfix-2007-03-20/announcement/view
           CVE-2007-0240
     (Closes: #416500)
Files: 
 8c2978255c5b9aa7306a976690f2a1b9 906 web optional zope2.7_2.7.5-2sarge4.dsc
 685e49f63b9a702081892b6ed645089f 56167 web optional zope2.7_2.7.5-2sarge4.diff.gz
 b28fa77d6ad2819f60c231181e616ebd 2631626 web optional zope2.7_2.7.5-2sarge4_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFGDCEu2PUjs9fQ72URArAxAKCipvkI89MZBbjUPVWvsRwhbC/fAgCeM2Zy
OZKzv3Ee4+jOIdAaabIcNY8=
=jrYO
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 16 Jun 2007 21:26:53 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 19:33:37 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.