From owner-freebsd-vuxml@FreeBSD.ORG Mon Dec 11 23:20:35 2006 Return-Path: X-Original-To: freebsd-vuxml@freebsd.org Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9A98916A412 for ; Mon, 11 Dec 2006 23:20:35 +0000 (UTC) (envelope-from yasihayasi@gmail.com) Received: from nz-out-0102.google.com (nz-out-0506.google.com [64.233.162.231]) by mx1.FreeBSD.org (Postfix) with ESMTP id EA22043CC0 for ; Mon, 11 Dec 2006 23:18:39 +0000 (GMT) (envelope-from yasihayasi@gmail.com) Received: by nz-out-0102.google.com with SMTP id i11so861187nzh for ; Mon, 11 Dec 2006 15:19:58 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:sender:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition:x-google-sender-auth; b=OQCAwFvs0+UeoWOssqTCEasi49UJbxhxHcjWC+qpnSWZprAUUbtOTbuLNCFBeJzU17fCY9wXEgUaLGFCxGKAIK0/yx25ZlDohCEOFFgntjv4CN8rIsiz6ZbYBRxJrrA9zIh3B/ryG6UA3EqxeoKUuFrcFuDd2Dua3t8pM/JUwYM= Received: by 10.64.10.2 with SMTP id 2mr11828490qbj.1165879194560; Mon, 11 Dec 2006 15:19:54 -0800 (PST) Received: by 10.65.194.3 with HTTP; Mon, 11 Dec 2006 15:19:54 -0800 (PST) Message-ID: Date: Tue, 12 Dec 2006 08:19:54 +0900 From: "HAYASHI Yasushi" Sender: yasihayasi@gmail.com To: freebsd-vuxml@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Google-Sender-Auth: 6f1fd0b26e3da5f9 Subject: Re: zope -- restructuredText "csv_table" Information Disclosure X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Dec 2006 23:20:35 -0000 On 10/19/06, Andrew Pntyukhim wrote: > The vulnerability has been confirmed in these versions, > but as far as we know there are no versions confirmed > to be safe yet. To be on the safe side we never put an > upper limit on version numbers until we know it for > sure. Please add upper limit to vid="65a8f773-4a37-11db-a4cc-000a48049292". There are two reasons. (1) I sent PRs for this vulnerability This will update www/zope to zope-2.7.9_1 and www/zope28 to zope-2.8.8_1. See: http://www.freebsd.org/cgi/query-pr.cgi?pr=106505 http://www.freebsd.org/cgi/query-pr.cgi?pr=106508 (2) IT points TOO wide range Current range causes for www/zope3 which does not have this vulnerable. > > vxquery -t text /usr/ports/security/vuxml/vuln.xml zope-3.3.0 > Topic: zope -- restructuredText "csv_table" Information Disclosure > Affects: > 0 <= zope > References: > bid:20022 > cvename:CVE-2006-4684 > url:http://secunia.com/advisories/21947/ > url:http://www.zope.org/Products/Zope/Hotfix-2006-08-21/Hotfix-20060821/READ ME.txt > > > > > www# pwd > /usr/ports/www/zope3 > www# make fetch > ===> zope-3.3.0 has known vulnerabilities: > => zope -- restructuredText "csv_table" Information Disclosure. > Reference: > => Please update your ports tree and try again. > *** Error code 1 > > Stop in /usr/ports/www/zope3. > www# Thank you for reading. -- ----+----1----+----2----+----3----+----4----+----5----+----6----+----7-- HAYASHI Yasushi http://www.yasi.to/blog