[LWN Logo]
[Timeline]
Date: Wed, 20 Dec 2000 16:31:10 -0200
To: lwn@lwn.net, bugtraq@securityfocus.com, security-alert@linuxsecurity.com,
Subject: [CLA-2000:365] Conectiva Linux Security Announcement - Zope
From: secure@conectiva.com.br

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -----------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT 
- -----------------------------------------------------------------------

PACKAGE   : Zope
SUMMARY   : Permission problems
DATE      : 2000-12-20 15:52:00
ID        : CLA-2000:365
RELEVANT
RELEASES  : 4.2, 5.0, 5.1, 6.0

- ----------------------------------------------------------------------

DESCRIPTION
 Two hotfixes have been released that address security problems with
 Zope-2.1.x:
 2000-21-15a: local roles computation. In some situations users with
 pivileges in one folder could gain the same privileges on another
 folder.
 2000-12-18: image updating method. Users with DTML editing privileges
 could edit the raw data of a File or Image object via DTML, even
 though they did not have editing priveleges on the objects
 themselves.
 Additionally, the so called POST bug was also fixed, where POST
 requests would interfere with each other.


SOLUTION
 It is recommended that all Zope users upgrade to the updated
 packages.


DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/4.2/SRPMS/Zope-2.1.7-10cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/Zope-2.1.7-10cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/Zope-components-2.1.7-10cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/Zope-core-2.1.7-10cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/Zope-pcgi-2.1.7-10cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/Zope-services-2.1.7-10cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/Zope-zpublisher-2.1.7-10cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/Zope-ztemplates-2.1.7-10cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/Zope-2.1.7-10cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/Zope-2.1.7-10cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/Zope-components-2.1.7-10cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/Zope-core-2.1.7-10cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/Zope-pcgi-2.1.7-10cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/Zope-services-2.1.7-10cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/Zope-zpublisher-2.1.7-10cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/Zope-ztemplates-2.1.7-10cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/Zope-2.1.7-10cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/Zope-2.1.7-10cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/Zope-components-2.1.7-10cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/Zope-core-2.1.7-10cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/Zope-pcgi-2.1.7-10cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/Zope-services-2.1.7-10cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/Zope-zpublisher-2.1.7-10cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/Zope-ztemplates-2.1.7-10cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/Zope-2.1.7-10cl.src.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/Zope-2.1.7-10cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/Zope-components-2.1.7-10cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/Zope-core-2.1.7-10cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/Zope-pcgi-2.1.7-10cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/Zope-services-2.1.7-10cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/Zope-zpublisher-2.1.7-10cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/Zope-ztemplates-2.1.7-10cl.i386.rpm


ADDITIONAL INSTRUCTIONS
 Users of Conectiva Linux version 6.0 or higher may use apt to perform 
 upgrades:
 - add the following line to /etc/apt/sources.list if it is not there yet
   (you may also use linuxconf to do this):

 rpm [cncbr] ftp://atualizacoes.conectiva.com.br 6.0/conectiva updates

 - run:                 apt-get update
 - after that, execute: apt-get upgrade

 Detailed instructions reagarding the use of apt and upgrade examples 
 can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en


- ----------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key can be 
obtained at http://www.conectiva.com.br/contato

- -----------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://www.conectiva.com.br/suporte/atualizacoes

- ----------------------------------------------------------------------
subscribe: atualizacoes-anuncio-subscribe@papaleguas.conectiva.com.br
unsubscribe: atualizacoes-anuncio-unsubscribe@papaleguas.conectiva.com.br
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE6QPrt42jd0JmAcZARAkdlAKCLEhpGVo4rKBcmm4hPpUGFzBL9BACfXIcU
qGgSFTbWDkEcuTVzto4diYQ=
=aj1L
-----END PGP SIGNATURE-----