Weekly edition	Kernel	Security	Distributions	Search
Archives	Calendar	Subscribe	Write for LWN	LWN.net FAQ

Multiple vulnerabilities in Zope 2.5.1

Package(s):

zope

CVE #(s):

CAN-2002-0170 CAN-2002-0687 CAN-2002-0688

Created:

September 25, 2002

Updated:

September 25, 2002

Description:

Three security hotfixes are available to fix vulnerabilities in Zope 2.5.1:

(Hotfix 2002-03-01) Users defined in subfolders of a site may have unintended access to objects at higher levels.
(Hotfix 2002-04-15) Untrusted users can use the "through the web code" capability to shut down the Zope server.
(Hotfix 2002-06-14) Anonymous users and untrusted code can call arbitrary methods of catalog indexes.

Alerts:

Red Hat

RHSA-2002:060-17

2002-09-24

(Log in to post comments)

Multiple vulnerabilities in Zope 2.5.1

Posted Sep 26, 2002 12:02 UTC (Thu) by tseaver (subscriber, #1544) [Link]

I am puzzled that LWN treated this announcement (from Red Hat, not from
Zope Corp.) as a "new vulnerability report". As the text of the
announcment makes clear, Red Hat has released a "distributor update"
to Zope 2.5.1 which includes fixes which have been available from the
Zope.org website for *months* now.

Tres Seaver <tseaver@zope.com>

Incorrect Zope version in title

Posted Sep 26, 2002 16:27 UTC (Thu) by tseaver (subscriber, #1544) [Link]

Further reading of the Red Hat announcement reveals that the updates they
are releasing are to the version of Zope shipped with the PowerTools 7.x
releases, which include Zope 2.2.5. That version of Zope was released on
8 January 2001!

Only one of the listed vulnerabilities (the 2002-06-14 hotfix) affects version 2.5.1 of Zope, which was released on 23 April 2002, at URL:

http://www.zope.org/Products/Zope/2.5.1

Tres Seaver <tseaver@zope.com>