aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNico Golde <nion>2009-08-15 18:36:51 +0000
committerNico Golde <nion>2009-08-15 18:36:51 +0000
commitcee9f7a0da7fe6e7bb64c75b0d6868a05b65dbca (patch)
treeeb04923cdfe3e5b70f706321267b8894994c679e
parent2665f2f3724c378294a4873145c954bab3b6c81a (diff)
dsa-1863-1
CVS version numbers english/security/2009/dsa-1863.data: INITIAL -> 1.1 english/security/2009/dsa-1863.wml: INITIAL -> 1.1
Diffstat
-rw-r--r--english/security/2009/dsa-1863.data136
-rw-r--r--english/security/2009/dsa-1863.wml43
2 files changed, 179 insertions, 0 deletions
diff --git a/english/security/2009/dsa-1863.data b/english/security/2009/dsa-1863.data
new file mode 100644
index 00000000000..846b499585b
--- /dev/null
+++ b/english/security/2009/dsa-1863.data
@@ -0,0 +1,136 @@
+<define-tag pagetitle>DSA-1863-1 zope2.10/zope2.9</define-tag>
+<define-tag report_date>2009-8-15</define-tag>
+<define-tag secrefs>CVE-2009-0668 CVE-2009-0669</define-tag>
+<define-tag packages>zope2.10/zope2.9</define-tag>
+<define-tag isvulnerable>yes</define-tag>
+<define-tag fixed>yes</define-tag>
+
+#use wml::debian::security
+
+<h3>Debian GNU/Linux 4.0 (etch)</h3>
+
+<dl>
+
+Debian (oldstable)
+
+
+<dt><source />
+
+ <dd><fileurl http://security.debian.org/pool/updates/main/z/zope2.9/zope2.9_2.9.6-4etch2.diff.gz />
+ <dd><fileurl http://security.debian.org/pool/updates/main/z/zope2.9/zope2.9_2.9.6-4etch2.dsc />
+ <dd><fileurl http://security.debian.org/pool/updates/main/z/zope2.9/zope2.9_2.9.6.orig.tar.gz />
+
+<dt><arch-indep />
+
+ <dd><fileurl http://security.debian.org/pool/updates/main/z/zope2.9/zope2.9-sandbox_2.9.6-4etch2_all.deb />
+
+<dt>Alpha:
+
+ <dd><fileurl http://security.debian.org/pool/updates/main/z/zope2.9/zope2.9_2.9.6-4etch2_alpha.deb />
+
+<dt>AMD64:
+
+ <dd><fileurl http://security.debian.org/pool/updates/main/z/zope2.9/zope2.9_2.9.6-4etch2_amd64.deb />
+
+<dt>ARM:
+
+ <dd><fileurl http://security.debian.org/pool/updates/main/z/zope2.9/zope2.9_2.9.6-4etch2_arm.deb />
+
+<dt>HP Precision:
+
+ <dd><fileurl http://security.debian.org/pool/updates/main/z/zope2.9/zope2.9_2.9.6-4etch2_hppa.deb />
+
+<dt>Intel IA-32:
+
+ <dd><fileurl http://security.debian.org/pool/updates/main/z/zope2.9/zope2.9_2.9.6-4etch2_i386.deb />
+
+<dt>Intel IA-64:
+
+ <dd><fileurl http://security.debian.org/pool/updates/main/z/zope2.9/zope2.9_2.9.6-4etch2_ia64.deb />
+
+<dt>Big-endian MIPS:
+
+ <dd><fileurl http://security.debian.org/pool/updates/main/z/zope2.9/zope2.9_2.9.6-4etch2_mips.deb />
+
+<dt>Little-endian MIPS:
+
+ <dd><fileurl http://security.debian.org/pool/updates/main/z/zope2.9/zope2.9_2.9.6-4etch2_mipsel.deb />
+
+<dt>PowerPC:
+
+ <dd><fileurl http://security.debian.org/pool/updates/main/z/zope2.9/zope2.9_2.9.6-4etch2_powerpc.deb />
+
+<dt>IBM S/390:
+
+ <dd><fileurl http://security.debian.org/pool/updates/main/z/zope2.9/zope2.9_2.9.6-4etch2_s390.deb />
+
+<dt>Sun Sparc:
+
+ <dd><fileurl http://security.debian.org/pool/updates/main/z/zope2.9/zope2.9_2.9.6-4etch2_sparc.deb />
+
+</dl>
+
+<h3>Debian GNU/Linux 5.0 (lenny)</h3>
+
+<dl>
+
+Debian (stable)
+
+
+<dt><source />
+
+ <dd><fileurl http://security.debian.org/pool/updates/main/z/zope2.10/zope2.10_2.10.6.orig.tar.gz />
+ <dd><fileurl http://security.debian.org/pool/updates/main/z/zope2.10/zope2.10_2.10.6-1+lenny1.dsc />
+ <dd><fileurl http://security.debian.org/pool/updates/main/z/zope2.10/zope2.10_2.10.6-1+lenny1.diff.gz />
+
+<dt><arch-indep />
+
+ <dd><fileurl http://security.debian.org/pool/updates/main/z/zope2.10/zope2.10-sandbox_2.10.6-1+lenny1_all.deb />
+
+<dt>Alpha:
+
+ <dd><fileurl http://security.debian.org/pool/updates/main/z/zope2.10/zope2.10_2.10.6-1+lenny1_alpha.deb />
+
+<dt>AMD64:
+
+ <dd><fileurl http://security.debian.org/pool/updates/main/z/zope2.10/zope2.10_2.10.6-1+lenny1_amd64.deb />
+
+<dt>ARM:
+
+ <dd><fileurl http://security.debian.org/pool/updates/main/z/zope2.10/zope2.10_2.10.6-1+lenny1_arm.deb />
+
+<dt>ARM EABI:
+
+ <dd><fileurl http://security.debian.org/pool/updates/main/z/zope2.10/zope2.10_2.10.6-1+lenny1_armel.deb />
+
+<dt>HP Precision:
+
+ <dd><fileurl http://security.debian.org/pool/updates/main/z/zope2.10/zope2.10_2.10.6-1+lenny1_hppa.deb />
+
+<dt>Intel IA-32:
+
+ <dd><fileurl http://security.debian.org/pool/updates/main/z/zope2.10/zope2.10_2.10.6-1+lenny1_i386.deb />
+
+<dt>Intel IA-64:
+
+ <dd><fileurl http://security.debian.org/pool/updates/main/z/zope2.10/zope2.10_2.10.6-1+lenny1_ia64.deb />
+
+<dt>Little-endian MIPS:
+
+ <dd><fileurl http://security.debian.org/pool/updates/main/z/zope2.10/zope2.10_2.10.6-1+lenny1_mipsel.deb />
+
+<dt>PowerPC:
+
+ <dd><fileurl http://security.debian.org/pool/updates/main/z/zope2.10/zope2.10_2.10.6-1+lenny1_powerpc.deb />
+
+<dt>IBM S/390:
+
+ <dd><fileurl http://security.debian.org/pool/updates/main/z/zope2.10/zope2.10_2.10.6-1+lenny1_s390.deb />
+
+<dt>Sun Sparc:
+
+ <dd><fileurl http://security.debian.org/pool/updates/main/z/zope2.10/zope2.10_2.10.6-1+lenny1_sparc.deb />
+
+</dl>
+
+<p><md5sums http://lists.debian.org/debian-security-announce/2009/msg00180.html /></p>
diff --git a/english/security/2009/dsa-1863.wml b/english/security/2009/dsa-1863.wml
new file mode 100644
index 00000000000..2a1dfc5f206
--- /dev/null
+++ b/english/security/2009/dsa-1863.wml
@@ -0,0 +1,43 @@
+<define-tag description>several vulnerabilities</define-tag>
+<define-tag moreinfo>
+<p>Several remote vulnerabilities have been discovered in the zope,
+a feature-rich web application server written in python, that could
+lead to arbitrary code execution in the worst case. The Common
+Vulnerabilities and Exposures project identified the following problems:</p>
+
+<p>Due to a programming error an authorization method in the StorageServer
+component of ZEO was not used as an internal method. This allows a
+malicious client to bypass authentication when connecting to a ZEO server
+by simply calling this authorization method (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0668">CVE-2009-0668</a>).</p>
+
+<p>The ZEO server doesn't restrict the callables when unpickling data received
+from a malicious client which can be used by an attacker to execute
+arbitrary python code on the server by sending certain exception pickles.
+This also allows an attacker to import any importable module as ZEO is
+importing the module containing a callable specified in a pickle to test
+for a certain flag (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0668">CVE-2009-0668</a>).</p>
+
+<p>The update also limits the number of new object ids a client can request
+to 100 as it would be possible to consume huge amounts of resources by
+requesting a big batch of new object ids. No CVE id has been assigned to
+this.</p>
+
+
+<p>The oldstable distribution (etch), this problem has been fixed in
+version 2.9.6-4etch2 of zope2.9.</p>
+
+<p>For the stable distribution (lenny), this problem has been fixed in
+version 2.10.6-1+lenny1 of zope2.10.</p>
+
+<p>For the testing distribution (squeeze), this problem will be fixed soon.</p>
+
+<p>For the unstable distribution (sid), this problem has been fixed in
+version 2.10.9-1 of zope2.10.</p>
+
+
+<p>We recommend that you upgrade your zope2.10/zope2.9 packages.</p>
+</define-tag>
+
+# do not modify the following line
+#include "$(ENGLISHDIR)/security/2009/dsa-1863.data"
+# $Id$

© 2014-2024 Faster IT GmbH | imprint | privacy policy