Hello,
Luciano Bello luci...@debian.org writes:
Hi, please see : http://seclists.org/oss-sec/2012/q4/249
Can you confirm if any of the Debian packages are affected?
As far as I could find (not clear in the upstream changelog):
version 2.12.26:
* LP #1071067 fixes CVE 2012-5507, CVE 2012-5508.
* LP #930812 fixes CVE 2012-5486.
version 2.12.21:
* LP #1079238 fixes CVE 2012-5489.
According to the upstream changelog, LP #1047318 seems to fix a security
bug, but I could not find it in zope2 launchpad nor anywhere else.
The following CVEs are not affecting Zope2 package (Plone/Zope3/..)
(within brackets is the Product/module/... affected along with the
corresponding filename in Plone Hotfix):
* CVE-2012-5485 (Plone: registerConfiglet.py)
http://plone.org/products/plone/security/advisories/20121106/01
* CVE-2012-5488/CVE-2012-5494/CVE-2012-5495/CVE-2012-5499/CVE-2012-5506
(Plone-specific: python_scripts.py)
http://plone.org/products/plone/security/advisories/20121106/04
http://plone.org/products/plone/security/advisories/20121106/10
http://plone.org/products/plone/security/advisories/20121106/11
http://plone.org/products/plone/security/advisories/20121106/15
http://plone.org/products/plone/security/advisories/20121106/22
* CVE-2012-5490 (kss: kssdevel.py)
http://plone.org/products/plone/security/advisories/20121106/06
* CVE-2012-5491/CVE-2012-5504 (z3c.form (Zope3): widget_traversal.py)
http://plone.org/products/plone/security/advisories/20121106/12
http://plone.org/products/plone/security/advisories/20121106/20
* CVE-2012-5492 (Plone: uid_catalog.py)
http://plone.org/products/plone/security/advisories/20121106/08
* CVE-2012-5493 (CMFCore: gtbn.py)
http://plone.org/products/plone/security/advisories/20121106/09
* CVE-2012-5496 (Plone: kupu_spellcheck.py)
http://plone.org/products/plone/security/advisories/20121106/09
* CVE-2012-5497 (Plone: membership_tool.py)
http://plone.org/products/plone/security/advisories/20121106/13
* CVE-2012-5498 (Plone: queryCatalog.py)
http://plone.org/products/plone/security/advisories/20121106/14
* CVE-2012-5500 (Plone: renameObjectsByPaths.py)
http://plone.org/products/plone/security/advisories/20121106/15
* CVE-2012-5501 (Plone: at_download.py)
http://plone.org/products/plone/security/advisories/20121106/17
* CVE-2012-5502 (PortalTransforms: safe_html.py)
http://plone.org/products/plone/security/advisories/20121106/18
* CVE-2012-5503 (Plone-specific: ObjectManager: ftp.py)
http://plone.org/products/plone/security/advisories/20121106/19
Not fixed in latest release of Zope AFAIK:
* CVE-2012-5487 (allow_module.py)
http://plone.org/products/plone/security/advisories/20121106/03
* CVE-2012-5505 (zope.traversing: atat.py)
http://plone.org/products/plone/security/advisories/20121106/21
I have attached to this email the patches for these two CVEs and will
upload them soon. I'm CC'ing zope-dev for review.
Regards,
Arnaud Fontaine
Index: zope2.12-2.12.26/source/Zope2/src/AccessControl/SecurityInfo.py
===
--- zope2.12-2.12.26.orig/source/Zope2/src/AccessControl/SecurityInfo.py 2012-11-22 18:57:27.0 +0900
+++ zope2.12-2.12.26/source/Zope2/src/AccessControl/SecurityInfo.py 2012-11-24 13:23:20.669183242 +0900
@@ -311,6 +311,8 @@
ModuleSecurityInfo(module_name[:dot]).setDefaultAccess(1)
dot = module_name.find('.', dot + 1)
+allow_module.__roles__ = ()
+
def allow_class(Class):
Allow a class and all of its methods to be used from a
restricted Script. The argument Class must be a class.
Index: zope2.12-2.12.26/source/zope.traversing/src/zope/traversing/namespace.py
===
--- zope2.12-2.12.26.orig/source/zope.traversing/src/zope/traversing/namespace.py 2012-11-22 19:00:29.0 +0900
+++ zope2.12-2.12.26/source/zope.traversing/src/zope/traversing/namespace.py 2012-11-24 13:16:40.229707666 +0900
@@ -31,7 +31,7 @@
from zope.traversing.interfaces import IEtcNamespace
from zope.traversing.interfaces import IPathAdapter
from zope.traversing.interfaces import ITraversable
-
+from zope.traversing.interfaces import TraversalError
class UnexpectedParameters(LocationError):
Unexpected namespace parameters were provided.
@@ -325,6 +325,9 @@
self.request = request
def traverse(self, name, ignored):
+if not name:
+raise TraversalError(self.context, name)
+
view = zope.component.queryMultiAdapter((self.context, self.request),
name=name)
if view is None:
pgpkDBkR0g0D5.pgp
Description: PGP signature
___
Zope-Dev maillist - Zope-Dev@zope.org
https://mail.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
https://mail.zope.org/mailman/listinfo/zope-announce