From owner-freebsd-ports Thu Jun 15 22:50: 7 2000 Delivered-To: freebsd-ports@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 1881637BD00 for ; Thu, 15 Jun 2000 22:50:02 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.9.3/8.9.2) id WAA23059; Thu, 15 Jun 2000 22:50:01 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from dorothy.hentschel.net (d83b0468.dsl.flashcom.net [216.59.4.104]) by hub.freebsd.org (Postfix) with ESMTP id 1427237B809; Thu, 15 Jun 2000 22:43:44 -0700 (PDT) (envelope-from thomas@hentschel.net) Received: from hentschel.net (thomas@falcon.home.hentschel.net [192.168.1.2]) by dorothy.hentschel.net (8.8.8/8.8.8) with ESMTP id WAA08580; Thu, 15 Jun 2000 22:31:52 -0700 (PDT) (envelope-from thomas@hentschel.net) Message-Id: <200006160531.WAA08580@dorothy.hentschel.net> Date: Thu, 15 Jun 2000 22:51:10 -0700 (PDT) From: thomas@hentschel.net To: FreeBSD-gnats-submit@freebsd.org Cc: ports@freebsd.org, security-officer@freebsd.org Subject: ports/19329: zope ports security vulnerability Sender: owner-freebsd-ports@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 19329 >Category: ports >Synopsis: zope ports security vulnerability >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-ports >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Thu Jun 15 22:50:00 PDT 2000 >Closed-Date: >Last-Modified: >Originator: Thomas Hentschel >Release: FreeBSD 3.4-STABLE i386 >Organization: >Environment: FreeBSD systems running the Zope Application Server >Description: A security vulnerability of the Zope release in the current ports system was found. Here is the advisory from Digital Creations (the creators of Zope) News Item: Zope security alert and 2.1.7 update Created by Brian on 2000/06/15. We have recently become aware of an important security issue that affects all released Zope versions including the recent 2.2 beta 1 release. The issue involves an inadequately protected method in one of the base classes in the DocumentTemplate package that could allow the contents of DTMLDocuments or DTMLMethods to be changed remotely or through DTML code without forcing proper user authorization. A Zope 2.1.7 release has been made that resolves this issue for Zope 2.1.x users. This release is available from Zope.org: http://www.zope.org/Products/Zope/2.1.7/ ..... While we know of no instances of this issue being used to exploit a site, we *highly* recommend that any Zope site that is accessible by untrusted clients take the appropriate mitigation steps immediately. Not sure if that would warrant a ports security alert, I sure would like to see one. >How-To-Repeat: See above >Fix: A patch is attached to upgrade the port to the recommended version. I also took the freedom to change the directory of saving Data.fs for the de-install from /tmp to /var/tmp so it will survive a reboot.An appropriate message is given now too. -Th --0-1804289383-961134678=:9899 Content-Type: TEXT/plain; CHARSET=US-ASCII Content-Disposition: attachment ; filename="www-zope.diff" diff -ur zope/Makefile zope.new/Makefile --- zope/Makefile Mon May 29 03:14:24 2000 +++ zope.new/Makefile Thu Jun 15 21:26:09 2000 @@ -6,7 +6,7 @@ # PORTNAME= zope -PORTVERSION= 2.1.6 +PORTVERSION= 2.1.7 CATEGORIES= www python MASTER_SITES= http://www.zope.org/Products/Zope/${PORTVERSION}/ DISTNAME= Zope-${PORTVERSION}-src @@ -73,12 +73,5 @@ ${ECHO} "===> The Zope license is in ${ZOPEBASEDIR}/LICENSE.txt." ; \ ${ECHO} "===> For Apache changes see ${APACHE_CONFDIR}/apache.conf.Zope-Changes." ; \ ${ECHO} "===> Zope.cgi and pcgi-wrapper live in ${CGI_BIN_DIR}." ) - -#pre-deinstall: # Save Database contents. I expect /tmp to have sufficient -# # space to hold it for the time being. -# @if [ -e ${ZOPEBASEDIR}/var/Data.fs ] ; then \ -# ${ECHO} "Saving existing Database to /tmp/Data.fs.bak." ; \ -# ${MV} ${ZOPEBASEDIR}/var/Data.fs /tmp/Data.fs.bak ; \ -# fi .include diff -ur zope/files/md5 zope.new/files/md5 --- zope/files/md5 Mon May 29 03:14:25 2000 +++ zope.new/files/md5 Thu Jun 15 21:28:12 2000 @@ -1 +1 @@ -MD5 (Zope-2.1.6-src.tgz) = 6ec4320afd6925c24f9f1b5cd7c4d7c5 +MD5 (Zope-2.1.7-src.tgz) = b07a0d4055d13eb9f1361cd96a47c265 diff -ur zope/pkg/PLIST zope.new/pkg/PLIST --- zope/pkg/PLIST Mon May 29 03:14:30 2000 +++ zope.new/pkg/PLIST Thu Jun 15 21:49:33 2000 @@ -847,6 +847,18 @@ %%ZOPEBASEDIR%%/lib/python/ZClasses/propertysheets.gif %%ZOPEBASEDIR%%/lib/python/ZClasses/subobjects.dtml %%ZOPEBASEDIR%%/lib/python/ZClasses/views.dtml +%%ZOPEBASEDIR%%/lib/python/ZLogger/FileLogger.py +%%ZOPEBASEDIR%%/lib/python/ZLogger/FileLogger.pyc +%%ZOPEBASEDIR%%/lib/python/ZLogger/ZLogger.py +%%ZOPEBASEDIR%%/lib/python/ZLogger/ZLogger.pyc +%%ZOPEBASEDIR%%/lib/python/ZLogger/__init__.py +%%ZOPEBASEDIR%%/lib/python/ZLogger/__init__.pyc +%%ZOPEBASEDIR%%/lib/python/ZLogger/stupidFileLogger.py +%%ZOPEBASEDIR%%/lib/python/ZLogger/stupidFileLogger.pyc +%%ZOPEBASEDIR%%/lib/python/ZLogger/syslog.py +%%ZOPEBASEDIR%%/lib/python/ZLogger/syslog.pyc +%%ZOPEBASEDIR%%/lib/python/ZLogger/syslogLogger.py +%%ZOPEBASEDIR%%/lib/python/ZLogger/syslogLogger.pyc %%ZOPEBASEDIR%%/lib/python/ZODB/.cvsignore %%ZOPEBASEDIR%%/lib/python/ZODB/BaseStorage.py %%ZOPEBASEDIR%%/lib/python/ZODB/BaseStorage.pyc @@ -1096,6 +1108,7 @@ @dirrm %%ZOPEBASEDIR%%/lib/python/TreeDisplay/www @dirrm %%ZOPEBASEDIR%%/lib/python/TreeDisplay @dirrm %%ZOPEBASEDIR%%/lib/python/ZClasses +@dirrm %%ZOPEBASEDIR%%/lib/python/ZLogger @dirrm %%ZOPEBASEDIR%%/lib/python/ZODB @dirrm %%ZOPEBASEDIR%%/lib/python/ZPublisher @dirrm %%ZOPEBASEDIR%%/lib/python/Zope/ZLogger @@ -1110,7 +1123,8 @@ @dirrm %%ZOPEBASEDIR%%/pcgi/Win32 @dirrm %%ZOPEBASEDIR%%/pcgi @dirrm %%ZOPEBASEDIR%%/utilities -@unexec mv -f %D/%%ZOPEBASEDIR%%/var/Data.fs /tmp/Data.fs.bak +@unexec /bin/echo Preserving existing Database to /var/tmp/Data.fs.bak +@unexec mv -f %D/%%ZOPEBASEDIR%%/var/Data.fs /var/tmp/Data.fs.bak @unexec rm -f %D/%%ZOPEBASEDIR%%/var/Data.fs.in @unexec rm -f %D/%%ZOPEBASEDIR%%/var/Data.fs.lock @unexec rm -f %D/%%ZOPEBASEDIR%%/var/Data.fs.tmp --0-1804289383-961134678=:9899-- >Release-Note: >Audit-Trail: >Unformatted: --0-1804289383-961134678=:9899 Content-Type: TEXT/plain; CHARSET=US-ASCII To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message