LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Advisory Watch: August 1st, 2014
Linux Security Week: July 28th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
RedHat: 'Zope' unauthorized access vulnerability Print E-mail
User Rating:      How can I rate this item?
Posted by LinuxSecurity.com Team   
RedHat Linux The issue involves the fmt attribute of dtml-var tags.Without this correction, Zope does not check security access to methodsinvoked through fmt. This issue could allow partially trusted users withenough knowledge of Zope to call, in a limited way, methods they would nototherwise be allowed to access.

---------------------------------------------------------------------
                   Red Hat, Inc. Red Hat Security Advisory

Synopsis:          New Zope packages are available
Advisory ID:       RHSA-2001:115-05
Issue date:        2001-10-02
Updated on:        2001-10-09
Product:           Red Hat Powertools
Keywords:          
Cross references:  
Obsoletes:         RHSA-2001-065 RHSA-2001-021 RHSA-2000-135 RHSA-2000-125
---------------------------------------------------------------------

1. Topic:

New Zope packages are available which fix a security flaw with DTML
scripting.

2. Relevant releases/architectures:

Red Hat Powertools 6.2 - alpha, i386, sparc

Red Hat Powertools 7.0 - alpha, i386

Red Hat Powertools 7.1 - alpha, i386

3. Problem description:

The updated packages include a "hotfix" product which addresses a security
problem with DTML scripting, as described in the Hotfix_2001-09-28
README.txt file: "The issue involves the fmt attribute of dtml-var tags.
Without this correction, Zope does not check security access to methods
invoked through fmt.  This issue could allow partially trusted users with
enough knowledge of Zope to call, in a limited way, methods they would not
otherwise be allowed to access."

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade.  Only those
RPMs which are currently installed will be updated.  Those RPMs which are
not installed but included in the list will not be updated.  Note that you
can also use wildcards (*.rpm) if your current directory *only* contains
the desired RPMs.

Please note that this update is also available via Red Hat Network.  Many
people find this to be an easier way to apply updates.  To use Red Hat
Network, launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

After you have updated the packages, you must restart zope:

  /etc/rc.d/init.d/zope restart

5. Bug IDs fixed  (http://bugzilla.Red Hat.com/bugzilla for more info):



6. RPMs required:

Red Hat Powertools 6.2:

SRPMS: 
ftp://updates.Red Hat.com/6.2/en/powertools/SRPMS/Zope-2.2.4-9.src.rpm

alpha: 
ftp://updates.Red Hat.com/6.2/en/powertools/alpha/Zope-2.2.4-9.alpha.rpm 
ftp://updates.Red Hat.com/6.2/en/powertools/alpha/Zope-core-2.2.4-9.alpha.rpm 
ftp://updates.Red Hat.com/6.2/en/powertools/alpha/Zope-components-2.2.4-9.alpha.rpm 
ftp://updates.Red Hat.com/6.2/en/powertools/alpha/Zope-ztemplates-2.2.4-9.alpha.rpm 
ftp://updates.Red Hat.com/6.2/en/powertools/alpha/Zope-zpublisher-2.2.4-9.alpha.rpm 
ftp://updates.Red Hat.com/6.2/en/powertools/alpha/Zope-services-2.2.4-9.alpha.rpm 
ftp://updates.Red Hat.com/6.2/en/powertools/alpha/Zope-zserver-2.2.4-9.alpha.rpm 
ftp://updates.Red Hat.com/6.2/en/powertools/alpha/Zope-pcgi-2.2.4-9.alpha.rpm

i386: 
ftp://updates.Red Hat.com/6.2/en/powertools/i386/Zope-2.2.4-9.i386.rpm 
ftp://updates.Red Hat.com/6.2/en/powertools/i386/Zope-core-2.2.4-9.i386.rpm 
ftp://updates.Red Hat.com/6.2/en/powertools/i386/Zope-components-2.2.4-9.i386.rpm 
ftp://updates.Red Hat.com/6.2/en/powertools/i386/Zope-ztemplates-2.2.4-9.i386.rpm 
ftp://updates.Red Hat.com/6.2/en/powertools/i386/Zope-zpublisher-2.2.4-9.i386.rpm 
ftp://updates.Red Hat.com/6.2/en/powertools/i386/Zope-services-2.2.4-9.i386.rpm 
ftp://updates.Red Hat.com/6.2/en/powertools/i386/Zope-zserver-2.2.4-9.i386.rpm 
ftp://updates.Red Hat.com/6.2/en/powertools/i386/Zope-pcgi-2.2.4-9.i386.rpm

sparc: 
ftp://updates.Red Hat.com/6.2/en/powertools/sparc/Zope-2.2.4-9.sparc.rpm 
ftp://updates.Red Hat.com/6.2/en/powertools/sparc/Zope-core-2.2.4-9.sparc.rpm 
ftp://updates.Red Hat.com/6.2/en/powertools/sparc/Zope-components-2.2.4-9.sparc.rpm 
ftp://updates.Red Hat.com/6.2/en/powertools/sparc/Zope-ztemplates-2.2.4-9.sparc.rpm 
ftp://updates.Red Hat.com/6.2/en/powertools/sparc/Zope-zpublisher-2.2.4-9.sparc.rpm 
ftp://updates.Red Hat.com/6.2/en/powertools/sparc/Zope-services-2.2.4-9.sparc.rpm 
ftp://updates.Red Hat.com/6.2/en/powertools/sparc/Zope-zserver-2.2.4-9.sparc.rpm 
ftp://updates.Red Hat.com/6.2/en/powertools/sparc/Zope-pcgi-2.2.4-9.sparc.rpm

Red Hat Powertools 7.0:

SRPMS: 
ftp://updates.Red Hat.com/7.0/en/powertools/SRPMS/Zope-2.2.5-8.src.rpm

alpha: 
ftp://updates.Red Hat.com/7.0/en/powertools/alpha/Zope-2.2.5-8.alpha.rpm 
ftp://updates.Red Hat.com/7.0/en/powertools/alpha/Zope-components-2.2.5-8.alpha.rpm 
ftp://updates.Red Hat.com/7.0/en/powertools/alpha/Zope-core-2.2.5-8.alpha.rpm 
ftp://updates.Red Hat.com/7.0/en/powertools/alpha/Zope-pcgi-2.2.5-8.alpha.rpm 
ftp://updates.Red Hat.com/7.0/en/powertools/alpha/Zope-services-2.2.5-8.alpha.rpm 
ftp://updates.Red Hat.com/7.0/en/powertools/alpha/Zope-zpublisher-2.2.5-8.alpha.rpm 
ftp://updates.Red Hat.com/7.0/en/powertools/alpha/Zope-zserver-2.2.5-8.alpha.rpm 
ftp://updates.Red Hat.com/7.0/en/powertools/alpha/Zope-ztemplates-2.2.5-8.alpha.rpm

i386: 
ftp://updates.Red Hat.com/7.0/en/powertools/i386/Zope-2.2.5-8.i386.rpm 
ftp://updates.Red Hat.com/7.0/en/powertools/i386/Zope-components-2.2.5-8.i386.rpm 
ftp://updates.Red Hat.com/7.0/en/powertools/i386/Zope-core-2.2.5-8.i386.rpm 
ftp://updates.Red Hat.com/7.0/en/powertools/i386/Zope-pcgi-2.2.5-8.i386.rpm 
ftp://updates.Red Hat.com/7.0/en/powertools/i386/Zope-services-2.2.5-8.i386.rpm 
ftp://updates.Red Hat.com/7.0/en/powertools/i386/Zope-zpublisher-2.2.5-8.i386.rpm 
ftp://updates.Red Hat.com/7.0/en/powertools/i386/Zope-zserver-2.2.5-8.i386.rpm 
ftp://updates.Red Hat.com/7.0/en/powertools/i386/Zope-ztemplates-2.2.5-8.i386.rpm

Red Hat Powertools 7.1:

SRPMS: 
ftp://updates.Red Hat.com/7.1/en/powertools/SRPMS/Zope-2.2.5-8.src.rpm

alpha: 
ftp://updates.Red Hat.com/7.1/en/powertools/alpha/Zope-2.2.5-8.alpha.rpm 
ftp://updates.Red Hat.com/7.1/en/powertools/alpha/Zope-components-2.2.5-8.alpha.rpm 
ftp://updates.Red Hat.com/7.1/en/powertools/alpha/Zope-core-2.2.5-8.alpha.rpm 
ftp://updates.Red Hat.com/7.1/en/powertools/alpha/Zope-pcgi-2.2.5-8.alpha.rpm 
ftp://updates.Red Hat.com/7.1/en/powertools/alpha/Zope-services-2.2.5-8.alpha.rpm 
ftp://updates.Red Hat.com/7.1/en/powertools/alpha/Zope-zpublisher-2.2.5-8.alpha.rpm 
ftp://updates.Red Hat.com/7.1/en/powertools/alpha/Zope-zserver-2.2.5-8.alpha.rpm 
ftp://updates.Red Hat.com/7.1/en/powertools/alpha/Zope-ztemplates-2.2.5-8.alpha.rpm

i386: 
ftp://updates.Red Hat.com/7.1/en/powertools/i386/Zope-2.2.5-8.i386.rpm 
ftp://updates.Red Hat.com/7.1/en/powertools/i386/Zope-components-2.2.5-8.i386.rpm 
ftp://updates.Red Hat.com/7.1/en/powertools/i386/Zope-core-2.2.5-8.i386.rpm 
ftp://updates.Red Hat.com/7.1/en/powertools/i386/Zope-pcgi-2.2.5-8.i386.rpm 
ftp://updates.Red Hat.com/7.1/en/powertools/i386/Zope-services-2.2.5-8.i386.rpm 
ftp://updates.Red Hat.com/7.1/en/powertools/i386/Zope-zpublisher-2.2.5-8.i386.rpm 
ftp://updates.Red Hat.com/7.1/en/powertools/i386/Zope-zserver-2.2.5-8.i386.rpm 
ftp://updates.Red Hat.com/7.1/en/powertools/i386/Zope-ztemplates-2.2.5-8.i386.rpm



7. Verification:

MD5 sum                           Package Name
--------------------------------------------------------------------------
3c1235415148e6623f64e0a4e76e4d1d 6.2/en/powertools/SRPMS/Zope-2.2.4-9.src.rpm
1db6c7dd618f2219f550c4c3dd6378e7 6.2/en/powertools/alpha/Zope-2.2.4-9.alpha.rpm
d1714ff497622f75aaab08633f8b5f40 6.2/en/powertools/alpha/Zope-components-2.2.4-9.alpha.rpm
a5e071a56fbde35af7adf04bb3f82a6e 6.2/en/powertools/alpha/Zope-core-2.2.4-9.alpha.rpm
2638543302411fa5e2dd3fbb214590c1 6.2/en/powertools/alpha/Zope-pcgi-2.2.4-9.alpha.rpm
7b989758802b4c47a0c6d54bbe4c15ff 6.2/en/powertools/alpha/Zope-services-2.2.4-9.alpha.rpm
671673618debf9a2f2691e44b7f3949d 6.2/en/powertools/alpha/Zope-zpublisher-2.2.4-9.alpha.rpm
581f0f4fab451ff23fcaba7988ec56fb 6.2/en/powertools/alpha/Zope-zserver-2.2.4-9.alpha.rpm
a4d6e35ab199f6d1cfb64abcb019c6b6 6.2/en/powertools/alpha/Zope-ztemplates-2.2.4-9.alpha.rpm
72034fb8d7a6dffd4c903f0f3c2322b8 6.2/en/powertools/i386/Zope-2.2.4-9.i386.rpm
3cab22c23facbaf6ab30ee9a5fc99cdd 6.2/en/powertools/i386/Zope-components-2.2.4-9.i386.rpm
7c72b25ae0c38a7a868b539633a66150 6.2/en/powertools/i386/Zope-core-2.2.4-9.i386.rpm
ae85a8ecb8e41caf044d4424b544f20e 6.2/en/powertools/i386/Zope-pcgi-2.2.4-9.i386.rpm
c32ae40d8c7c82fb1b43e32ed956ebda 6.2/en/powertools/i386/Zope-services-2.2.4-9.i386.rpm
490c9af30fe7918cb6df5cca509ef19a 6.2/en/powertools/i386/Zope-zpublisher-2.2.4-9.i386.rpm
5a30fa8bf31b2f7eaaf6da8a47420a10 6.2/en/powertools/i386/Zope-zserver-2.2.4-9.i386.rpm
aaab79e53686b566ae5af737876e7825 6.2/en/powertools/i386/Zope-ztemplates-2.2.4-9.i386.rpm
07aad896f42d36ea0ad1a2674ade9774 6.2/en/powertools/sparc/Zope-2.2.4-9.sparc.rpm
368a10766c6effe9c7c33ca50942c3cf 6.2/en/powertools/sparc/Zope-components-2.2.4-9.sparc.rpm
77f2bb0d08c9baaf40264758726777e1 6.2/en/powertools/sparc/Zope-core-2.2.4-9.sparc.rpm
51c27034d265e0971464d7a7bfc02aeb 6.2/en/powertools/sparc/Zope-pcgi-2.2.4-9.sparc.rpm
d4e01fc786ad6dbd1aae654e1b83768d 6.2/en/powertools/sparc/Zope-services-2.2.4-9.sparc.rpm
85da16d400b48c7a7ea365f88bb47d43 6.2/en/powertools/sparc/Zope-zpublisher-2.2.4-9.sparc.rpm
68fbb73fd991ea3cfc4e19a9acc3f527 6.2/en/powertools/sparc/Zope-zserver-2.2.4-9.sparc.rpm
112d287aaeb0013787699b99ddfb9e74 6.2/en/powertools/sparc/Zope-ztemplates-2.2.4-9.sparc.rpm
1cbc3eeac888b3bf209b739a6f3238b4 7.0/en/powertools/SRPMS/Zope-2.2.5-8.src.rpm
6c76c01f86f4dde5d63441075797783a 7.0/en/powertools/alpha/Zope-2.2.5-8.alpha.rpm
ce1f7032344efaea5d6fb5c032905471 7.0/en/powertools/alpha/Zope-components-2.2.5-8.alpha.rpm
4c630ecc4f19f48395cf4c7d32a9bee5 7.0/en/powertools/alpha/Zope-core-2.2.5-8.alpha.rpm
476cf89c1f3f4c530fa95e8e276faa36 7.0/en/powertools/alpha/Zope-pcgi-2.2.5-8.alpha.rpm
80ed8e74e4fef5270050d806dd39aa71 7.0/en/powertools/alpha/Zope-services-2.2.5-8.alpha.rpm
f3e796a9bad8de8c9d0dc531d11f2b76 7.0/en/powertools/alpha/Zope-zpublisher-2.2.5-8.alpha.rpm
66abeb448162b75f0d140715c4de84cc 7.0/en/powertools/alpha/Zope-zserver-2.2.5-8.alpha.rpm
4a8c4e9ad9ec6e5839696cbd67331648 7.0/en/powertools/alpha/Zope-ztemplates-2.2.5-8.alpha.rpm
c8428b0d4e8bc8c52b218137286ed266 7.0/en/powertools/i386/Zope-2.2.5-8.i386.rpm
edd23e731a9de98db074feab671273e3 7.0/en/powertools/i386/Zope-components-2.2.5-8.i386.rpm
d96f8017dfff29d792dc0208f421e4d3 7.0/en/powertools/i386/Zope-core-2.2.5-8.i386.rpm
d621b5ee62c7c34d23bc14a5aa348f42 7.0/en/powertools/i386/Zope-pcgi-2.2.5-8.i386.rpm
6b44945ad005e77f2574a7d7e863d86e 7.0/en/powertools/i386/Zope-services-2.2.5-8.i386.rpm
d335b1d74a5f5ec63cafc55aae7d2bb9 7.0/en/powertools/i386/Zope-zpublisher-2.2.5-8.i386.rpm
da0c212ae65667d360f282fab4c50f39 7.0/en/powertools/i386/Zope-zserver-2.2.5-8.i386.rpm
edcfa547423e49a29e6a0f32d7bc98cb 7.0/en/powertools/i386/Zope-ztemplates-2.2.5-8.i386.rpm
1cbc3eeac888b3bf209b739a6f3238b4 7.1/en/powertools/SRPMS/Zope-2.2.5-8.src.rpm
6c76c01f86f4dde5d63441075797783a 7.1/en/powertools/alpha/Zope-2.2.5-8.alpha.rpm
ce1f7032344efaea5d6fb5c032905471 7.1/en/powertools/alpha/Zope-components-2.2.5-8.alpha.rpm
4c630ecc4f19f48395cf4c7d32a9bee5 7.1/en/powertools/alpha/Zope-core-2.2.5-8.alpha.rpm
476cf89c1f3f4c530fa95e8e276faa36 7.1/en/powertools/alpha/Zope-pcgi-2.2.5-8.alpha.rpm
80ed8e74e4fef5270050d806dd39aa71 7.1/en/powertools/alpha/Zope-services-2.2.5-8.alpha.rpm
f3e796a9bad8de8c9d0dc531d11f2b76 7.1/en/powertools/alpha/Zope-zpublisher-2.2.5-8.alpha.rpm
66abeb448162b75f0d140715c4de84cc 7.1/en/powertools/alpha/Zope-zserver-2.2.5-8.alpha.rpm
4a8c4e9ad9ec6e5839696cbd67331648 7.1/en/powertools/alpha/Zope-ztemplates-2.2.5-8.alpha.rpm
c8428b0d4e8bc8c52b218137286ed266 7.1/en/powertools/i386/Zope-2.2.5-8.i386.rpm
edd23e731a9de98db074feab671273e3 7.1/en/powertools/i386/Zope-components-2.2.5-8.i386.rpm
d96f8017dfff29d792dc0208f421e4d3 7.1/en/powertools/i386/Zope-core-2.2.5-8.i386.rpm
d621b5ee62c7c34d23bc14a5aa348f42 7.1/en/powertools/i386/Zope-pcgi-2.2.5-8.i386.rpm
6b44945ad005e77f2574a7d7e863d86e 7.1/en/powertools/i386/Zope-services-2.2.5-8.i386.rpm
d335b1d74a5f5ec63cafc55aae7d2bb9 7.1/en/powertools/i386/Zope-zpublisher-2.2.5-8.i386.rpm
da0c212ae65667d360f282fab4c50f39 7.1/en/powertools/i386/Zope-zserver-2.2.5-8.i386.rpm
edcfa547423e49a29e6a0f32d7bc98cb 7.1/en/powertools/i386/Zope-ztemplates-2.2.5-8.i386.rpm

These packages are GPG signed by Red Hat, Inc. for security.  Our key
is available at:
     http://www.Red Hat.com/about/contact/pgpkey.html

You can verify each package with the following command:
    rpm --checksig  

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
    rpm --checksig --nogpg 

8. References:
 
http://www.zope.org/Products/Zope/Hotfix_2001-09-28/README.txt 
http://lwn.net/daily/zope-dtml-fmt.php3


Copyright(c) 2000, 2001 Red Hat, Inc.

 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Attackers can easily create dangerous file-encrypting malware, new threat suggests
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.