Red Hat: 'Zope' vulnerability
Posted by LinuxSecurity.com Team   
RedHat Linux Vulnerability in legacy names allows calling those contructors without thecorrect permissions.

---------------------------------------------------------------------
                   Red Hat, Inc. Security Advisory

Synopsis:          New Zope packages are available.
Advisory ID:       RHSA-2000:125-02
Issue date:        2000-12-12
Updated on:        2000-12-12
Product:           Red Hat Powertools
Keywords:          N/A
Cross references:  N/A
---------------------------------------------------------------------

1. Topic:

Vulnerability in legacy names allows calling those contructors without the
correct permissions.

2. Relevant releases/architectures:

Red Hat Powertools 6.1 - i386, alpha, sparc
Red Hat Powertools 6.2 - i386, alpha, sparc
Red Hat Powertools 7.0 - i386, alpha

3. Problem description:

A vulnerablity exists in previously released versions of Zope where users
can create new DTML method instances through the Web without having the
correct permissions.

4. Solution:

For each RPM for your particular architecture, run:

rpm -Fvh [filename]

where filename is the name of the RPM.

Make sure that you have applied all updates for Apache if you are using the
Zope-pcgi package.

NOTE: This errata supercedes all other advisories from Red Hat concerning
Zope.

5. Bug IDs fixed  (http://bugzilla.Red Hat.com/bugzilla for more info):

N/A

6. RPMs required:

Red Hat Powertools 6.2:

alpha: 
ftp://updates.Red Hat.com/powertools/6.2/alpha/Zope-2.2.4-3.alpha.rpm 
ftp://updates.Red Hat.com/powertools/6.2/alpha/Zope-components-2.2.4-3.alpha.rpm 
ftp://updates.Red Hat.com/powertools/6.2/alpha/Zope-core-2.2.4-3.alpha.rpm 
ftp://updates.Red Hat.com/powertools/6.2/alpha/Zope-pcgi-2.2.4-3.alpha.rpm 
ftp://updates.Red Hat.com/powertools/6.2/alpha/Zope-services-2.2.4-3.alpha.rpm 
ftp://updates.Red Hat.com/powertools/6.2/alpha/Zope-zpublisher-2.2.4-3.alpha.rpm 
ftp://updates.Red Hat.com/powertools/6.2/alpha/Zope-zserver-2.2.4-3.alpha.rpm 
ftp://updates.Red Hat.com/powertools/6.2/alpha/Zope-ztemplates-2.2.4-3.alpha.rpm

sparc: 
ftp://updates.Red Hat.com/powertools/6.2/sparc/Zope-2.2.4-3.sparc.rpm 
ftp://updates.Red Hat.com/powertools/6.2/sparc/Zope-components-2.2.4-3.sparc.rpm 
ftp://updates.Red Hat.com/powertools/6.2/sparc/Zope-core-2.2.4-3.sparc.rpm 
ftp://updates.Red Hat.com/powertools/6.2/sparc/Zope-pcgi-2.2.4-3.sparc.rpm 
ftp://updates.Red Hat.com/powertools/6.2/sparc/Zope-services-2.2.4-3.sparc.rpm 
ftp://updates.Red Hat.com/powertools/6.2/sparc/Zope-zpublisher-2.2.4-3.sparc.rpm 
ftp://updates.Red Hat.com/powertools/6.2/sparc/Zope-zserver-2.2.4-3.sparc.rpm 
ftp://updates.Red Hat.com/powertools/6.2/sparc/Zope-ztemplates-2.2.4-3.sparc.rpm

i386: 
ftp://updates.Red Hat.com/powertools/6.2/i386/Zope-2.2.4-3.i386.rpm 
ftp://updates.Red Hat.com/powertools/6.2/i386/Zope-components-2.2.4-3.i386.rpm 
ftp://updates.Red Hat.com/powertools/6.2/i386/Zope-core-2.2.4-3.i386.rpm 
ftp://updates.Red Hat.com/powertools/6.2/i386/Zope-pcgi-2.2.4-3.i386.rpm 
ftp://updates.Red Hat.com/powertools/6.2/i386/Zope-services-2.2.4-3.i386.rpm 
ftp://updates.Red Hat.com/powertools/6.2/i386/Zope-zpublisher-2.2.4-3.i386.rpm 
ftp://updates.Red Hat.com/powertools/6.2/i386/Zope-zserver-2.2.4-3.i386.rpm 
ftp://updates.Red Hat.com/powertools/6.2/i386/Zope-ztemplates-2.2.4-3.i386.rpm

sources: 
ftp://updates.Red Hat.com/powertools/6.2/SRPMS/Zope-2.2.4-3.src.rpm

Red Hat Powertools 7.0:

alpha: 
ftp://updates.Red Hat.com/powertools/7.0/alpha/Zope-2.2.4-4.alpha.rpm 
ftp://updates.Red Hat.com/powertools/7.0/alpha/Zope-components-2.2.4-4.alpha.rpm 
ftp://updates.Red Hat.com/powertools/7.0/alpha/Zope-core-2.2.4-4.alpha.rpm 
ftp://updates.Red Hat.com/powertools/7.0/alpha/Zope-pcgi-2.2.4-4.alpha.rpm 
ftp://updates.Red Hat.com/powertools/7.0/alpha/Zope-services-2.2.4-4.alpha.rpm 
ftp://updates.Red Hat.com/powertools/7.0/alpha/Zope-zpublisher-2.2.4-4.alpha.rpm 
ftp://updates.Red Hat.com/powertools/7.0/alpha/Zope-zserver-2.2.4-4.alpha.rpm 
ftp://updates.Red Hat.com/powertools/7.0/alpha/Zope-ztemplates-2.2.4-4.alpha.rpm

i386: 
ftp://updates.Red Hat.com/powertools/7.0/i386/Zope-2.2.4-4.i386.rpm 
ftp://updates.Red Hat.com/powertools/7.0/i386/Zope-components-2.2.4-4.i386.rpm 
ftp://updates.Red Hat.com/powertools/7.0/i386/Zope-core-2.2.4-4.i386.rpm 
ftp://updates.Red Hat.com/powertools/7.0/i386/Zope-pcgi-2.2.4-4.i386.rpm 
ftp://updates.Red Hat.com/powertools/7.0/i386/Zope-services-2.2.4-4.i386.rpm 
ftp://updates.Red Hat.com/powertools/7.0/i386/Zope-zpublisher-2.2.4-4.i386.rpm 
ftp://updates.Red Hat.com/powertools/7.0/i386/Zope-zserver-2.2.4-4.i386.rpm 
ftp://updates.Red Hat.com/powertools/7.0/i386/Zope-ztemplates-2.2.4-4.i386.rpm

sources: 
ftp://updates.Red Hat.com/powertools/7.0/SRPMS/Zope-2.2.4-4.src.rpm

7. Verification:

MD5 sum                           Package Name
--------------------------------------------------------------------------
7f23985cf46d3dd1549c3efb61008064  6.2/SRPMS/Zope-2.2.4-3.src.rpm
d7f73eea703056eb44007e7044c1ee01  6.2/alpha/Zope-2.2.4-3.alpha.rpm
73c19b7937255380af1877ff9ccfa7ab  6.2/alpha/Zope-components-2.2.4-3.alpha.rpm
8fa91974cbf97bd63e9d93d9f428f4ef  6.2/alpha/Zope-core-2.2.4-3.alpha.rpm
4ba68e9f304084bc05ba8b81073afe4b  6.2/alpha/Zope-pcgi-2.2.4-3.alpha.rpm
46c6e6d2347cae0b1d72292af7bb8868  6.2/alpha/Zope-services-2.2.4-3.alpha.rpm
68b4230f02400568ad4ddecf27317bd4  6.2/alpha/Zope-zpublisher-2.2.4-3.alpha.rpm
dd2fec391397a727106aa9ea3da45a7e  6.2/alpha/Zope-zserver-2.2.4-3.alpha.rpm
377f033d43839e30d687f92389b01af9  6.2/alpha/Zope-ztemplates-2.2.4-3.alpha.rpm
3bde2f09e75432dba375863c7740b9dc  6.2/i386/Zope-2.2.4-3.i386.rpm
dfc304409d9c7397a316de5849fa0d48  6.2/i386/Zope-components-2.2.4-3.i386.rpm
c3e561101a3c49a024b600aaac5263e0  6.2/i386/Zope-core-2.2.4-3.i386.rpm
7e9f96be58da0dbf2525f2e63e35f497  6.2/i386/Zope-pcgi-2.2.4-3.i386.rpm
f969f0c7ff3d293217c9ce90bee1abed  6.2/i386/Zope-services-2.2.4-3.i386.rpm
1593e474602258fc1ef21ac79f6e639b  6.2/i386/Zope-zpublisher-2.2.4-3.i386.rpm
abf5a7c5938bdc27d3887137871b724c  6.2/i386/Zope-zserver-2.2.4-3.i386.rpm
6e347722a0827f60dcf97b118d3f3e60  6.2/i386/Zope-ztemplates-2.2.4-3.i386.rpm
a7f02426dc7390e816ac1738b1fe5c4c  6.2/sparc/Zope-2.2.4-3.sparc.rpm
799085909efa49091c938451e64a3eac  6.2/sparc/Zope-components-2.2.4-3.sparc.rpm
5692eb110c4a82a5cd605d9108112981  6.2/sparc/Zope-core-2.2.4-3.sparc.rpm
93a9fdb0a3425cb64bbdc59cb323c53e  6.2/sparc/Zope-pcgi-2.2.4-3.sparc.rpm
0f1207038f08bfc3640a3a9a57077a7c  6.2/sparc/Zope-services-2.2.4-3.sparc.rpm
cd96eee2c2465858c9762e945edd4831  6.2/sparc/Zope-zpublisher-2.2.4-3.sparc.rpm
0d8c06bfce677efe6ebd792f4909e933  6.2/sparc/Zope-zserver-2.2.4-3.sparc.rpm
1b9942b112082d9d2ac4a45d49fc20e1  6.2/sparc/Zope-ztemplates-2.2.4-3.sparc.rpm
aa6dc280ac9cd160a59cc94a422f33d7  7.0/SRPMS/Zope-2.2.4-4.src.rpm
6ba5ab5536c6febe1baa5115545501ba  7.0/alpha/Zope-2.2.4-4.alpha.rpm
303db0df979bb5108d6b0ec1dc9b7086  7.0/alpha/Zope-components-2.2.4-4.alpha.rpm
651553ed0a862019ed6ae1b7f61b95d6  7.0/alpha/Zope-core-2.2.4-4.alpha.rpm
babed78c7c795052e26877862205e1a6  7.0/alpha/Zope-pcgi-2.2.4-4.alpha.rpm
18c9a4075c7bb4a5d04dfab1b7180046  7.0/alpha/Zope-services-2.2.4-4.alpha.rpm
485304852c9ca212b7b64724ba1568d3  7.0/alpha/Zope-zpublisher-2.2.4-4.alpha.rpm
4571271fd46f3e888f033604a30aa0dd  7.0/alpha/Zope-zserver-2.2.4-4.alpha.rpm
fbd063e9b50a164ecad4672e9b1244e6  7.0/alpha/Zope-ztemplates-2.2.4-4.alpha.rpm
f53ebebbb586cd0a7a273249d8d31d46  7.0/i386/Zope-2.2.4-4.i386.rpm
6d732f25729bdb4cdd7f6e31c7166622  7.0/i386/Zope-components-2.2.4-4.i386.rpm
7ab10f25d8db9e146161a89e1e8dfd93  7.0/i386/Zope-core-2.2.4-4.i386.rpm
c144ac2c1b10b0c260ac0224018c99b8  7.0/i386/Zope-pcgi-2.2.4-4.i386.rpm
d4b6a2064f721dec5ca83dc3336ccbde  7.0/i386/Zope-services-2.2.4-4.i386.rpm
8f6b0b0baa3c3da30f5eb43d14ed9ab5  7.0/i386/Zope-zpublisher-2.2.4-4.i386.rpm
5b3e3e6f31cc56a797464602fd7057f5  7.0/i386/Zope-zserver-2.2.4-4.i386.rpm
e9ecf895e293c0e05cb502c3042fdb21  7.0/i386/Zope-ztemplates-2.2.4-4.i386.rpm

These packages are GPG signed by Red Hat, Inc. for security.  Our key
is available at:
     http://www.Red Hat.com/corp/contact.html

You can verify each package with the following command:
    rpm --checksig  

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
    rpm --checksig --nogpg 

8. References:
 
http://www.zope.org/Products/Zope/Hotfix_2000-12-08/security_alert


Copyright(c) 2000 Red Hat, Inc.