Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 12 Dec 2006 08:19:54 +0900
From:      "HAYASHI Yasushi" <yasi@yasi.to>
To:        freebsd-vuxml@freebsd.org
Subject:   Re: zope -- restructuredText "csv_table" Information Disclosure
Message-ID:  <dcf270660612111519t33aed8egddd454d40bc94add@mail.gmail.com>
next in thread | raw e-mail | index | archive | help 
On 10/19/06, Andrew Pntyukhim wrote:
> The vulnerability has been confirmed in these versions,
> but as far as we know there are no versions confirmed
> to be safe yet. To be on the safe side we never put an
> upper limit on version numbers until we know it for
> sure.

Please add upper limit to vid="65a8f773-4a37-11db-a4cc-000a48049292".
There are two reasons.

(1)  I sent PRs for this vulnerability
  This will update www/zope to zope-2.7.9_1 and www/zope28 to zope-2.8.8_1.
  See:
    http://www.freebsd.org/cgi/query-pr.cgi?pr=106505
    http://www.freebsd.org/cgi/query-pr.cgi?pr=106508

(2)  IT points TOO wide range
  Current range causes for www/zope3 which does not have this vulnerable.

> > vxquery -t text /usr/ports/security/vuxml/vuln.xml zope-3.3.0
> Topic: zope -- restructuredText "csv_table" Information Disclosure
> Affects:
>     0 <= zope
> References:
>     bid:20022
>     cvename:CVE-2006-4684
>     url:http://secunia.com/advisories/21947/
>     url:http://www.zope.org/Products/Zope/Hotfix-2006-08-21/Hotfix-20060821/READ
ME.txt
> <URL:http://vuxml.freebsd.org/65a8f773-4a37-11db-a4cc-000a48049292.html>;
>
> >

> www# pwd
> /usr/ports/www/zope3
> www# make fetch
> ===>  zope-3.3.0 has known vulnerabilities:
> => zope -- restructuredText "csv_table" Information Disclosure.
>    Reference: <http://www.FreeBSD.org/ports/portaudit/65a8f773-4a37-11db-a4cc-00
0a48049292.html>
> => Please update your ports tree and try again.
> *** Error code 1
>
> Stop in /usr/ports/www/zope3.
> www#


Thank you for reading.

-- 
----+----1----+----2----+----3----+----4----+----5----+----6----+----7--
HAYASHI Yasushi  <yasi@yasi.to>
http://www.yasi.to/blog

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?dcf270660612111519t33aed8egddd454d40bc94add>