Date: Fri, 16 Jun 2000 11:16:59 -0700 (PDT) From: thomas@hentschel.net To: gnats-admin@FreeBSD.org Cc: freebsd-ports@FreeBSD.org Subject: Re: ports/19329: zope ports security vulnerability Message-ID: <200006161757.KAA26794@dorothy.hentschel.net> In-Reply-To: <200006160550.WAA23055@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Oh well, scratch that PR. Digital Creations changed their mind and pulled the 2.1.7 release in favor of a hotfix which can be found at http://www.zope.org/Products/Zope/Hotfix_06_16_2000. This will fix the aforementioned security problem. This makes the patch below obsolete, so this PR can be closed -Th --- Problem Report ports/19329 zope ports security vulnerability Confidential no Severity non-critical Priority medium Responsible freebsd-ports@FreeBSD.org State open Class change-request Submitter-Id current-users Arrival-Date Thu Jun 15 22:50:00 PDT 2000 Last-Modified never Originator Thomas Hentschel <thomas@hentschel.net> Release FreeBSD 3.4-STABLE i386 Environment FreeBSD systems running the Zope Application Server Description A security vulnerability of the Zope release in the current ports system was found. Here is the advisory from Digital Creations (the creators of Zope) News Item: Zope security alert and 2.1.7 update Created by Brian on 2000/06/15. We have recently become aware of an important security issue that affects all released Zope versions including the recent 2.2 beta 1 release. The issue involves an inadequately protected method in one of the base classes in the DocumentTemplate package that could allow the contents of DTMLDocuments or DTMLMethods to be changed remotely or through DTML code without forcing proper user authorization. A Zope 2.1.7 release has been made that resolves this issue for Zope 2.1.x users. This release is available from Zope.org: http://www.zope.org/Products/Zope/2.1.7/ ..... While we know of no instances of this issue being used to exploit a site, we *highly* recommend that any Zope site that is accessible by untrusted clients take the appropriate mitigation steps immediately. Not sure if that would warrant a ports security alert, I sure would like to see one. How-To-Repeat See above Fix A patch is attached to upgrade the port to the recommended version. I also took the freedom to change the directory of saving Data.fs for the de-install from /tmp to /var/tmp so it will survive a reboot.An appropriate message is given now too. -Th --0-1804289383-961134678=:9899 Content-Type: TEXT/plain; CHARSET=US-ASCII Content-Disposition: attachment ; filename="www-zope.diff" diff -ur zope/Makefile zope.new/Makefile --- zope/Makefile Mon May 29 03:14:24 2000 +++ zope.new/Makefile Thu Jun 15 21:26:09 2000 @@ -6,7 +6,7 @@ # PORTNAME= zope -PORTVERSION= 2.1.6 +PORTVERSION= 2.1.7 CATEGORIES= www python MASTER_SITES= http://www.zope.org/Products/Zope/${PORTVERSION}/ DISTNAME= Zope-${PORTVERSION}-src @@ -73,12 +73,5 @@ ${ECHO} "===> The Zope license is in ${ZOPEBASEDIR}/LICENSE.txt." ; \ ${ECHO} "===> For Apache changes see ${APACHE_CONFDIR}/apache.conf.Zope-Changes." ; \ ${ECHO} "===> Zope.cgi and pcgi-wrapper live in ${CGI_BIN_DIR}." ) - -#pre-deinstall: # Save Database contents. I expect /tmp to have sufficient -# # space to hold it for the time being. -# @if [ -e ${ZOPEBASEDIR}/var/Data.fs ] ; then \ -# ${ECHO} "Saving existing Database to /tmp/Data.fs.bak." ; \ -# ${MV} ${ZOPEBASEDIR}/var/Data.fs /tmp/Data.fs.bak ; \ -# fi .include <bsd.port.mk> diff -ur zope/files/md5 zope.new/files/md5 --- zope/files/md5 Mon May 29 03:14:25 2000 +++ zope.new/files/md5 Thu Jun 15 21:28:12 2000 @@ -1 +1 @@ -MD5 (Zope-2.1.6-src.tgz) = 6ec4320afd6925c24f9f1b5cd7c4d7c5 +MD5 (Zope-2.1.7-src.tgz) = b07a0d4055d13eb9f1361cd96a47c265 diff -ur zope/pkg/PLIST zope.new/pkg/PLIST --- zope/pkg/PLIST Mon May 29 03:14:30 2000 +++ zope.new/pkg/PLIST Thu Jun 15 21:49:33 2000 @@ -847,6 +847,18 @@ %%ZOPEBASEDIR%%/lib/python/ZClasses/propertysheets.gif %%ZOPEBASEDIR%%/lib/python/ZClasses/subobjects.dtml %%ZOPEBASEDIR%%/lib/python/ZClasses/views.dtml +%%ZOPEBASEDIR%%/lib/python/ZLogger/FileLogger.py +%%ZOPEBASEDIR%%/lib/python/ZLogger/FileLogger.pyc +%%ZOPEBASEDIR%%/lib/python/ZLogger/ZLogger.py +%%ZOPEBASEDIR%%/lib/python/ZLogger/ZLogger.pyc +%%ZOPEBASEDIR%%/lib/python/ZLogger/__init__.py +%%ZOPEBASEDIR%%/lib/python/ZLogger/__init__.pyc +%%ZOPEBASEDIR%%/lib/python/ZLogger/stupidFileLogger.py +%%ZOPEBASEDIR%%/lib/python/ZLogger/stupidFileLogger.pyc +%%ZOPEBASEDIR%%/lib/python/ZLogger/syslog.py +%%ZOPEBASEDIR%%/lib/python/ZLogger/syslog.pyc +%%ZOPEBASEDIR%%/lib/python/ZLogger/syslogLogger.py +%%ZOPEBASEDIR%%/lib/python/ZLogger/syslogLogger.pyc %%ZOPEBASEDIR%%/lib/python/ZODB/.cvsignore %%ZOPEBASEDIR%%/lib/python/ZODB/BaseStorage.py %%ZOPEBASEDIR%%/lib/python/ZODB/BaseStorage.pyc @@ -1096,6 +1108,7 @@ @dirrm %%ZOPEBASEDIR%%/lib/python/TreeDisplay/www @dirrm %%ZOPEBASEDIR%%/lib/python/TreeDisplay @dirrm %%ZOPEBASEDIR%%/lib/python/ZClasses +@dirrm %%ZOPEBASEDIR%%/lib/python/ZLogger @dirrm %%ZOPEBASEDIR%%/lib/python/ZODB @dirrm %%ZOPEBASEDIR%%/lib/python/ZPublisher @dirrm %%ZOPEBASEDIR%%/lib/python/Zope/ZLogger @@ -1110,7 +1123,8 @@ @dirrm %%ZOPEBASEDIR%%/pcgi/Win32 @dirrm %%ZOPEBASEDIR%%/pcgi @dirrm %%ZOPEBASEDIR%%/utilities -@unexec mv -f %D/%%ZOPEBASEDIR%%/var/Data.fs /tmp/Data.fs.bak +@unexec /bin/echo Preserving existing Database to /var/tmp/Data.fs.bak +@unexec mv -f %D/%%ZOPEBASEDIR%%/var/Data.fs /var/tmp/Data.fs.bak @unexec rm -f %D/%%ZOPEBASEDIR%%/var/Data.fs.in @unexec rm -f %D/%%ZOPEBASEDIR%%/var/Data.fs.lock @unexec rm -f %D/%%ZOPEBASEDIR%%/var/Data.fs.tmp --0-1804289383-961134678=:9899-- Unformatted --0-1804289383-961134678=:9899 Content-Type: TEXT/plain; CHARSET=US-ASCII To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200006161757.KAA26794>