d/deb-zope

To: debian-security-announce@lists.debian.org
Subject: [SECURITY] new version of zope released
Date: Fri, 11 Aug 2000 20:30:47 -0400 (EDT)
From: mstone@justice.loyola.edu (Michael Stone)

-----BEGIN PGP SIGNED MESSAGE-----

- ------------------------------------------------------------------------
Debian Security Advisory                             security@debian.org
http://www.debian.org/security/                            Michael Stone
August 11, 2000
- ------------------------------------------------------------------------

Package: zope
Vulnerability type: remote unprivileged access
Debian-specific: no

On versions of Zope prior to 2.2beta1 it was possible for a user with the
ability to edit DTML can gain unauthorized access to extra roles during a
request. 

Debian 2.1 (slink) did not include zope, and is not vulnerable. The widely-used
Debian 2.2 (potato) pre-release does include zope and is vulnerable to this
issue. A fixed package for Debian 2.2 (potato) is available in zope 2.1.6-5.1.

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.


Debian GNU/Linux 2.1 alias slink
- --------------------------------

  This version of Debian did not include zope and is not vulnerable.



Debian GNU/Linux 2.2 alias potato
- ---------------------------------

  Source archives:
    http://security.debian.org/dists/frozen/updates/main/source/zope_2.1.6-5.1.diff.gz
      MD5 checksum: c75d6ccc953227214aa8cdcdc720c38a
    http://security.debian.org/dists/frozen/updates/main/source/zope_2.1.6-5.1.dsc
      MD5 checksum: 8332bcfbadc37bbe32e2a64d3b41300f
    http://security.debian.org/dists/frozen/updates/main/source/zope_2.1.6.orig.tar.gz
      MD5 checksum: 6ec4320afd6925c24f9f1b5cd7c4d7c5
  Alpha architecture:
    http://security.debian.org/dists/frozen/updates/main/binary-alpha/zope_2.1.6-5.1_alpha.deb
      MD5 checksum: f3432b908238de8b2fef2d8f10dd82ae
  Arm architecture:
    http://security.debian.org/dists/frozen/updates/main/binary-arm/zope_2.1.6-5.1_arm.deb
      MD5 checksum: 59bb35f4ac17bf1aa6c37d76a624f3c7
  Intel ia32 architecture:
    http://security.debian.org/dists/frozen/updates/main/binary-i386/zope_2.1.6-5.1_i386.deb
      MD5 checksum: 4716213c3986dd0e871a33acc8576c66
  Motorola 680x0 architecture:
    Will be available shortly
  PowerPC architecture:
    http://security.debian.org/dists/frozen/updates/main/binary-powerpc/zope_2.1.6-5.1_powerpc.deb
      MD5 checksum: 1345120dcca3a253b099b6d42ffc9f4b
  Sun Sparc architecture:
    http://security.debian.org/dists/frozen/updates/main/binary-sparc/zope_2.1.6-5.1_sparc.deb
      MD5 checksum: ed818435e7b672521d364a3c044a4043


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBOZSaiw0hVr09l8FJAQG2nwP9HYCgsfMOrTBrRQeUzjbsXXuneUpOrzAZ
8kOLGczsIFWo7n3CDtCMjmgrXVfuF6zSq4XS9afJahLrdwfJWdXjhMXb7SHQ71ZU
J/2OHoZdGVR2HizEKY8M3wpWw+BnJMUaLomv2LkgqaO5K2zJ2zNgLKIlHCrYHjIP
cRtS6qszYqw=
=ZzS9
-----END PGP SIGNATURE-----


--  
To UNSUBSCRIBE, email to debian-security-announce-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org