DSA-055-1 zope -- remote unauthorized access

Debian Security Advisory

DSA-055-1 zope -- remote unauthorized access

Date Reported:

07 May 2001

Affected Packages:

zope

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2001-0567.

More information:

A new Zope hotfix has been released which fixes a problem in ZClasses. The README for the 2001-05-01 hotfix describes the problem as `any user can visit a ZClass declaration and change the ZClass permission mappings for methods and other objects defined within the ZClass, possibly allowing for unauthorized access within the Zope instance.'

This hotfix has been added in version 2.1.6-10, and we highly recommend that you upgrade your zope package immediately.

Fixed in:

Debian GNU/Linux 2.2 (potato)

Source:

http://security.debian.org/dists/stable/updates/main/source/zope_2.1.6-10.diff.gz

http://security.debian.org/dists/stable/updates/main/source/zope_2.1.6-10.dsc

http://security.debian.org/dists/stable/updates/main/source/zope_2.1.6.orig.tar.gz

Alpha:

http://security.debian.org/dists/stable/updates/main/binary-alpha/zope_2.1.6-10_alpha.deb

ARM:

http://security.debian.org/dists/stable/updates/main/binary-arm/zope_2.1.6-10_arm.deb

Intel IA-32:

http://security.debian.org/dists/stable/updates/main/binary-i386/zope_2.1.6-10_i386.deb

Motorola 680x0:

http://security.debian.org/dists/stable/updates/main/binary-m68k/zope_2.1.6-10_m68k.deb

PowerPC:

http://security.debian.org/dists/stable/updates/main/binary-powerpc/zope_2.1.6-10_powerpc.deb

Sun Sparc:

http://security.debian.org/dists/stable/updates/main/binary-sparc/zope_2.1.6-10_sparc.deb

MD5 checksums of the listed files are available in the original advisory.