Date: Thu, 15 Jun 2000 22:51:10 -0700 (PDT) From: thomas@hentschel.net To: FreeBSD-gnats-submit@freebsd.org Cc: ports@freebsd.org, security-officer@freebsd.org Subject: ports/19329: zope ports security vulnerability Message-ID: <200006160531.WAA08580@dorothy.hentschel.net>
next in thread | raw e-mail | index | archive | help
>Number: 19329
>Category: ports
>Synopsis: zope ports security vulnerability
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-ports
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Thu Jun 15 22:50:00 PDT 2000
>Closed-Date:
>Last-Modified:
>Originator: Thomas Hentschel
>Release: FreeBSD 3.4-STABLE i386
>Organization:
>Environment:
FreeBSD systems running the Zope Application Server
>Description:
A security vulnerability of the Zope release in the current
ports system was found. Here is the advisory from Digital
Creations (the creators of Zope)
News Item: Zope security alert and 2.1.7 update
Created by Brian on 2000/06/15.
We have recently become aware of an important security issue
that affects all released Zope versions including the recent
2.2 beta 1 release.
The issue involves an inadequately protected method in one of
the base classes in the DocumentTemplate package that could
allow the contents of DTMLDocuments or DTMLMethods to be changed
remotely or through DTML code without forcing proper user authorization.
A Zope 2.1.7 release has been made that resolves this issue for Zope
2.1.x users. This release is available from Zope.org:
http://www.zope.org/Products/Zope/2.1.7/
.....
While we know of no instances of this issue being used to exploit a site,
we *highly* recommend that any Zope site that is accessible by untrusted
clients take the appropriate mitigation steps immediately.
Not sure if that would warrant a ports security alert, I sure
would like to see one.
>How-To-Repeat:
See above
>Fix:
A patch is attached to upgrade the port to the recommended
version.
I also took the freedom to change the directory of saving
Data.fs for the de-install from /tmp to /var/tmp so it will
survive a reboot.An appropriate message is given now too.
-Th
--0-1804289383-961134678=:9899
Content-Type: TEXT/plain; CHARSET=US-ASCII
Content-Disposition: attachment ; filename="www-zope.diff"
diff -ur zope/Makefile zope.new/Makefile
--- zope/Makefile Mon May 29 03:14:24 2000
+++ zope.new/Makefile Thu Jun 15 21:26:09 2000
@@ -6,7 +6,7 @@
#
PORTNAME= zope
-PORTVERSION= 2.1.6
+PORTVERSION= 2.1.7
CATEGORIES= www python
MASTER_SITES= http://www.zope.org/Products/Zope/${PORTVERSION}/
DISTNAME= Zope-${PORTVERSION}-src
@@ -73,12 +73,5 @@
${ECHO} "===> The Zope license is in ${ZOPEBASEDIR}/LICENSE.txt." ; \
${ECHO} "===> For Apache changes see ${APACHE_CONFDIR}/apache.conf.Zope-Changes." ; \
${ECHO} "===> Zope.cgi and pcgi-wrapper live in ${CGI_BIN_DIR}." )
-
-#pre-deinstall: # Save Database contents. I expect /tmp to have sufficient
-# # space to hold it for the time being.
-# @if [ -e ${ZOPEBASEDIR}/var/Data.fs ] ; then \
-# ${ECHO} "Saving existing Database to /tmp/Data.fs.bak." ; \
-# ${MV} ${ZOPEBASEDIR}/var/Data.fs /tmp/Data.fs.bak ; \
-# fi
.include <bsd.port.mk>
diff -ur zope/files/md5 zope.new/files/md5
--- zope/files/md5 Mon May 29 03:14:25 2000
+++ zope.new/files/md5 Thu Jun 15 21:28:12 2000
@@ -1 +1 @@
-MD5 (Zope-2.1.6-src.tgz) = 6ec4320afd6925c24f9f1b5cd7c4d7c5
+MD5 (Zope-2.1.7-src.tgz) = b07a0d4055d13eb9f1361cd96a47c265
diff -ur zope/pkg/PLIST zope.new/pkg/PLIST
--- zope/pkg/PLIST Mon May 29 03:14:30 2000
+++ zope.new/pkg/PLIST Thu Jun 15 21:49:33 2000
@@ -847,6 +847,18 @@
%%ZOPEBASEDIR%%/lib/python/ZClasses/propertysheets.gif
%%ZOPEBASEDIR%%/lib/python/ZClasses/subobjects.dtml
%%ZOPEBASEDIR%%/lib/python/ZClasses/views.dtml
+%%ZOPEBASEDIR%%/lib/python/ZLogger/FileLogger.py
+%%ZOPEBASEDIR%%/lib/python/ZLogger/FileLogger.pyc
+%%ZOPEBASEDIR%%/lib/python/ZLogger/ZLogger.py
+%%ZOPEBASEDIR%%/lib/python/ZLogger/ZLogger.pyc
+%%ZOPEBASEDIR%%/lib/python/ZLogger/__init__.py
+%%ZOPEBASEDIR%%/lib/python/ZLogger/__init__.pyc
+%%ZOPEBASEDIR%%/lib/python/ZLogger/stupidFileLogger.py
+%%ZOPEBASEDIR%%/lib/python/ZLogger/stupidFileLogger.pyc
+%%ZOPEBASEDIR%%/lib/python/ZLogger/syslog.py
+%%ZOPEBASEDIR%%/lib/python/ZLogger/syslog.pyc
+%%ZOPEBASEDIR%%/lib/python/ZLogger/syslogLogger.py
+%%ZOPEBASEDIR%%/lib/python/ZLogger/syslogLogger.pyc
%%ZOPEBASEDIR%%/lib/python/ZODB/.cvsignore
%%ZOPEBASEDIR%%/lib/python/ZODB/BaseStorage.py
%%ZOPEBASEDIR%%/lib/python/ZODB/BaseStorage.pyc
@@ -1096,6 +1108,7 @@
@dirrm %%ZOPEBASEDIR%%/lib/python/TreeDisplay/www
@dirrm %%ZOPEBASEDIR%%/lib/python/TreeDisplay
@dirrm %%ZOPEBASEDIR%%/lib/python/ZClasses
+@dirrm %%ZOPEBASEDIR%%/lib/python/ZLogger
@dirrm %%ZOPEBASEDIR%%/lib/python/ZODB
@dirrm %%ZOPEBASEDIR%%/lib/python/ZPublisher
@dirrm %%ZOPEBASEDIR%%/lib/python/Zope/ZLogger
@@ -1110,7 +1123,8 @@
@dirrm %%ZOPEBASEDIR%%/pcgi/Win32
@dirrm %%ZOPEBASEDIR%%/pcgi
@dirrm %%ZOPEBASEDIR%%/utilities
-@unexec mv -f %D/%%ZOPEBASEDIR%%/var/Data.fs /tmp/Data.fs.bak
+@unexec /bin/echo Preserving existing Database to /var/tmp/Data.fs.bak
+@unexec mv -f %D/%%ZOPEBASEDIR%%/var/Data.fs /var/tmp/Data.fs.bak
@unexec rm -f %D/%%ZOPEBASEDIR%%/var/Data.fs.in
@unexec rm -f %D/%%ZOPEBASEDIR%%/var/Data.fs.lock
@unexec rm -f %D/%%ZOPEBASEDIR%%/var/Data.fs.tmp
--0-1804289383-961134678=:9899--
>Release-Note:
>Audit-Trail:
>Unformatted:
--0-1804289383-961134678=:9899
Content-Type: TEXT/plain; CHARSET=US-ASCII
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200006160531.WAA08580>