diff options
author | Nico Golde <nion> | 2009-08-15 18:36:51 +0000 |
---|---|---|
committer | Nico Golde <nion> | 2009-08-15 18:36:51 +0000 |
commit | cee9f7a0da7fe6e7bb64c75b0d6868a05b65dbca (patch) | |
tree | eb04923cdfe3e5b70f706321267b8894994c679e | |
parent | 2665f2f3724c378294a4873145c954bab3b6c81a (diff) |
dsa-1863-1
CVS version numbers
english/security/2009/dsa-1863.data: INITIAL -> 1.1
english/security/2009/dsa-1863.wml: INITIAL -> 1.1
-rw-r--r-- | english/security/2009/dsa-1863.data | 136 | ||||
-rw-r--r-- | english/security/2009/dsa-1863.wml | 43 |
2 files changed, 179 insertions, 0 deletions
diff --git a/english/security/2009/dsa-1863.data b/english/security/2009/dsa-1863.data new file mode 100644 index 00000000000..846b499585b --- /dev/null +++ b/english/security/2009/dsa-1863.data @@ -0,0 +1,136 @@ +<define-tag pagetitle>DSA-1863-1 zope2.10/zope2.9</define-tag> +<define-tag report_date>2009-8-15</define-tag> +<define-tag secrefs>CVE-2009-0668 CVE-2009-0669</define-tag> +<define-tag packages>zope2.10/zope2.9</define-tag> +<define-tag isvulnerable>yes</define-tag> +<define-tag fixed>yes</define-tag> + +#use wml::debian::security + +<h3>Debian GNU/Linux 4.0 (etch)</h3> + +<dl> + +Debian (oldstable) + + +<dt><source /> + + <dd><fileurl http://security.debian.org/pool/updates/main/z/zope2.9/zope2.9_2.9.6-4etch2.diff.gz /> + <dd><fileurl http://security.debian.org/pool/updates/main/z/zope2.9/zope2.9_2.9.6-4etch2.dsc /> + <dd><fileurl http://security.debian.org/pool/updates/main/z/zope2.9/zope2.9_2.9.6.orig.tar.gz /> + +<dt><arch-indep /> + + <dd><fileurl http://security.debian.org/pool/updates/main/z/zope2.9/zope2.9-sandbox_2.9.6-4etch2_all.deb /> + +<dt>Alpha: + + <dd><fileurl http://security.debian.org/pool/updates/main/z/zope2.9/zope2.9_2.9.6-4etch2_alpha.deb /> + +<dt>AMD64: + + <dd><fileurl http://security.debian.org/pool/updates/main/z/zope2.9/zope2.9_2.9.6-4etch2_amd64.deb /> + +<dt>ARM: + + <dd><fileurl http://security.debian.org/pool/updates/main/z/zope2.9/zope2.9_2.9.6-4etch2_arm.deb /> + +<dt>HP Precision: + + <dd><fileurl http://security.debian.org/pool/updates/main/z/zope2.9/zope2.9_2.9.6-4etch2_hppa.deb /> + +<dt>Intel IA-32: + + <dd><fileurl http://security.debian.org/pool/updates/main/z/zope2.9/zope2.9_2.9.6-4etch2_i386.deb /> + +<dt>Intel IA-64: + + <dd><fileurl http://security.debian.org/pool/updates/main/z/zope2.9/zope2.9_2.9.6-4etch2_ia64.deb /> + +<dt>Big-endian MIPS: + + <dd><fileurl http://security.debian.org/pool/updates/main/z/zope2.9/zope2.9_2.9.6-4etch2_mips.deb /> + +<dt>Little-endian MIPS: + + <dd><fileurl http://security.debian.org/pool/updates/main/z/zope2.9/zope2.9_2.9.6-4etch2_mipsel.deb /> + +<dt>PowerPC: + + <dd><fileurl http://security.debian.org/pool/updates/main/z/zope2.9/zope2.9_2.9.6-4etch2_powerpc.deb /> + +<dt>IBM S/390: + + <dd><fileurl http://security.debian.org/pool/updates/main/z/zope2.9/zope2.9_2.9.6-4etch2_s390.deb /> + +<dt>Sun Sparc: + + <dd><fileurl http://security.debian.org/pool/updates/main/z/zope2.9/zope2.9_2.9.6-4etch2_sparc.deb /> + +</dl> + +<h3>Debian GNU/Linux 5.0 (lenny)</h3> + +<dl> + +Debian (stable) + + +<dt><source /> + + <dd><fileurl http://security.debian.org/pool/updates/main/z/zope2.10/zope2.10_2.10.6.orig.tar.gz /> + <dd><fileurl http://security.debian.org/pool/updates/main/z/zope2.10/zope2.10_2.10.6-1+lenny1.dsc /> + <dd><fileurl http://security.debian.org/pool/updates/main/z/zope2.10/zope2.10_2.10.6-1+lenny1.diff.gz /> + +<dt><arch-indep /> + + <dd><fileurl http://security.debian.org/pool/updates/main/z/zope2.10/zope2.10-sandbox_2.10.6-1+lenny1_all.deb /> + +<dt>Alpha: + + <dd><fileurl http://security.debian.org/pool/updates/main/z/zope2.10/zope2.10_2.10.6-1+lenny1_alpha.deb /> + +<dt>AMD64: + + <dd><fileurl http://security.debian.org/pool/updates/main/z/zope2.10/zope2.10_2.10.6-1+lenny1_amd64.deb /> + +<dt>ARM: + + <dd><fileurl http://security.debian.org/pool/updates/main/z/zope2.10/zope2.10_2.10.6-1+lenny1_arm.deb /> + +<dt>ARM EABI: + + <dd><fileurl http://security.debian.org/pool/updates/main/z/zope2.10/zope2.10_2.10.6-1+lenny1_armel.deb /> + +<dt>HP Precision: + + <dd><fileurl http://security.debian.org/pool/updates/main/z/zope2.10/zope2.10_2.10.6-1+lenny1_hppa.deb /> + +<dt>Intel IA-32: + + <dd><fileurl http://security.debian.org/pool/updates/main/z/zope2.10/zope2.10_2.10.6-1+lenny1_i386.deb /> + +<dt>Intel IA-64: + + <dd><fileurl http://security.debian.org/pool/updates/main/z/zope2.10/zope2.10_2.10.6-1+lenny1_ia64.deb /> + +<dt>Little-endian MIPS: + + <dd><fileurl http://security.debian.org/pool/updates/main/z/zope2.10/zope2.10_2.10.6-1+lenny1_mipsel.deb /> + +<dt>PowerPC: + + <dd><fileurl http://security.debian.org/pool/updates/main/z/zope2.10/zope2.10_2.10.6-1+lenny1_powerpc.deb /> + +<dt>IBM S/390: + + <dd><fileurl http://security.debian.org/pool/updates/main/z/zope2.10/zope2.10_2.10.6-1+lenny1_s390.deb /> + +<dt>Sun Sparc: + + <dd><fileurl http://security.debian.org/pool/updates/main/z/zope2.10/zope2.10_2.10.6-1+lenny1_sparc.deb /> + +</dl> + +<p><md5sums http://lists.debian.org/debian-security-announce/2009/msg00180.html /></p> diff --git a/english/security/2009/dsa-1863.wml b/english/security/2009/dsa-1863.wml new file mode 100644 index 00000000000..2a1dfc5f206 --- /dev/null +++ b/english/security/2009/dsa-1863.wml @@ -0,0 +1,43 @@ +<define-tag description>several vulnerabilities</define-tag> +<define-tag moreinfo> +<p>Several remote vulnerabilities have been discovered in the zope, +a feature-rich web application server written in python, that could +lead to arbitrary code execution in the worst case. The Common +Vulnerabilities and Exposures project identified the following problems:</p> + +<p>Due to a programming error an authorization method in the StorageServer +component of ZEO was not used as an internal method. This allows a +malicious client to bypass authentication when connecting to a ZEO server +by simply calling this authorization method (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0668">CVE-2009-0668</a>).</p> + +<p>The ZEO server doesn't restrict the callables when unpickling data received +from a malicious client which can be used by an attacker to execute +arbitrary python code on the server by sending certain exception pickles. +This also allows an attacker to import any importable module as ZEO is +importing the module containing a callable specified in a pickle to test +for a certain flag (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0668">CVE-2009-0668</a>).</p> + +<p>The update also limits the number of new object ids a client can request +to 100 as it would be possible to consume huge amounts of resources by +requesting a big batch of new object ids. No CVE id has been assigned to +this.</p> + + +<p>The oldstable distribution (etch), this problem has been fixed in +version 2.9.6-4etch2 of zope2.9.</p> + +<p>For the stable distribution (lenny), this problem has been fixed in +version 2.10.6-1+lenny1 of zope2.10.</p> + +<p>For the testing distribution (squeeze), this problem will be fixed soon.</p> + +<p>For the unstable distribution (sid), this problem has been fixed in +version 2.10.9-1 of zope2.10.</p> + + +<p>We recommend that you upgrade your zope2.10/zope2.9 packages.</p> +</define-tag> + +# do not modify the following line +#include "$(ENGLISHDIR)/security/2009/dsa-1863.data" +# $Id$ |