COMMAND
Zope
SYSTEMS AFFECTED
Zope
PROBLEM
There are issues in the getRoles method of user objects contained
in the default UserFolder implementation. Users with the ability
to edit DTML could arrange to give themselves extra roles for the
duration of a single request by mutating the roles list as a part
of the request processing.
SOLUTION
Users of Red Hat Powertools 6.1 who have not upgraded Zope to the
version of Zope released in Red Hat Powertools 6.2 (2.1.2-5) need
to do so prior to installing this Zope update. The Zope packages
from 6.2 are located at:
ftp://ftp.redhat.com/pub/redhat/powertools/6.2/
After you have upgraded to Zope-2.1.2-5 install the Zope-Hotfix
package. To install the update, use this command:
rpm -Uvh Zope-Hotfix-DTML-08_17_2000-1.noarch.rpm
Once the Zope-Hotfix package is installed, restart Zope.
Debian 2.1 (slink) did not include zope, and is not vulnerable.
The widely-used Debian 2.2 (potato) pre-release does include zope
and is vulnerable to this issue. A fixed package for Debian 2.2
(potato) is available in zope 2.1.6-5.1.
For Conectiva Linux:
ftp://atualizacoes.conectiva.com.br/4.2/SRPMS/Zope-2.1.7-6cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/Zope-2.1.7-6cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/Zope-components-2.1.7-6cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/Zope-core-2.1.7-6cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/Zope-pcgi-2.1.7-6cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/Zope-services-2.1.7-6cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/Zope-zpublisher-2.1.7-6cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/Zope-ztemplates-2.1.7-6cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/Zope-2.1.7-6cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/Zope-2.1.7-6cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/Zope-components-2.1.7-6cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/Zope-core-2.1.7-6cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/Zope-pcgi-2.1.7-6cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/Zope-services-2.1.7-6cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/Zope-zpublisher-2.1.7-6cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/Zope-ztemplates-2.1.7-6cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/Zope-2.1.7-6cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/Zope-2.1.7-6cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/Zope-components-2.1.7-6cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/Zope-core-2.1.7-6cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/Zope-pcgi-2.1.7-6cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/Zope-services-2.1.7-6cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/Zope-zpublisher-2.1.7-6cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/Zope-ztemplates-2.1.7-6cl.i386.rpm
For FreeBSD:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/www/zope-2.2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/www/zope-2.2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/www/zope-2.2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/www/zope-2.2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/www/zope-2.2.0.tgz
For Linux-Mandrake:
Linux-Mandrake 7.1: 7.1/RPMS/Zope-2.1.6-3mdk.i586.rpm
7.1/RPMS/Zope-components-2.1.6-3mdk.i586.rpm
7.1/RPMS/Zope-core-2.1.6-3mdk.i586.rpm
7.1/RPMS/Zope-pcgi-2.1.6-3mdk.i586.rpm
7.1/RPMS/Zope-services-2.1.6-3mdk.i586.rpm
7.1/RPMS/Zope-zpublisher-2.1.6-3mdk.i586.rpm
7.1/RPMS/Zope-zserver-2.1.6-3mdk.i586.rpm
7.1/RPMS/Zope-ztemplates-2.1.6-3mdk.i586.rpm
7.1/SRPMS/Zope-2.1.6-3mdk.src.rpm
Debian 2.1 (slink) did not include zope, and is not vulnerable.
Debian 2.2 (potato) does include zope and is vulnerable to this
issue. A fixed package for Debian 2.2 (potato) is available in
zope 2.1.6-5.2.