From redhat-watch-list-admin@redhat.com Tue Feb 27 15:09:59 2001 From: redhat-watch-list-admin@redhat.com To: BUGTRAQ@SECURITYFOCUS.COM Date: Mon, 26 Feb 2001 15:42:00 -0500 Reply-To: redhat-watch-list@redhat.com Subject: [BUGTRAQ] [RHSA-2001:021-06] New Zope packages are available [The following text is in the "iso-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] --------------------------------------------------------------------- Red Hat, Inc. Red Hat Security Advisory Synopsis: New Zope packages are available Advisory ID: RHSA-2001:021-06 Issue date: 2001-02-24 Updated on: 2001-02-26 Product: Red Hat Powertools Keywords: Cross references: Obsoletes: RHSA-2000-135 RHSA-2000-125 --------------------------------------------------------------------- 1. Topic: New Zope packages are available which fix numerous security vulnerabilities. 2. Relevant releases/architectures: Red Hat Powertools 6.2 - alpha, i386, sparc Red Hat Powertools 7.0 - alpha, i386 3. Problem description: >From the Zope advisory: "This hotfix addresses and [sic] important security issue that affects Zope versions up to and including Zope 2.3.1 b1. The issue is related to ZClasses in that a user with through-the-web scripting capabilities on a Zope site can view and assign class attributes to ZClasses, possibly allowing them to make inappropriate changes to ZClass instances. This patch also fixes problems in the ObjectManager, PropertyManager, and PropertySheet classes related to mutability of method return values which could be perceived as a security problem. We *highly* recommend that any Zope site running versions of Zope up to and including 2.3.1 b1 have this hotfix product installed to mitigate these issues if the site is accessible by untrusted users who have through-the-web scripting privileges." The updated packages include this new hotfix. 4. Solution: *NOTE* This advisory supercedes all other Zope and Zope-Hotfix advisories from Red Hat, Inc. To update all RPMs for your particular architecture, run: rpm -Fvh where is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directly *only* contains the desired RPMs. Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. 5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info): 6. RPMs required: Red Hat Powertools 6.2: SRPMS: ftp://updates.redhat.com/powertools/6.2/SRPMS/Zope-2.2.4-6.src.rpm alpha: ftp://updates.redhat.com/powertools/6.2/alpha/Zope-2.2.4-6.alpha.rpm ftp://updates.redhat.com/powertools/6.2/alpha/Zope-components-2.2.4-6.alpha.rpm ftp://updates.redhat.com/powertools/6.2/alpha/Zope-core-2.2.4-6.alpha.rpm ftp://updates.redhat.com/powertools/6.2/alpha/Zope-pcgi-2.2.4-6.alpha.rpm ftp://updates.redhat.com/powertools/6.2/alpha/Zope-services-2.2.4-6.alpha.rpm ftp://updates.redhat.com/powertools/6.2/alpha/Zope-zpublisher-2.2.4-6.alpha.rpm ftp://updates.redhat.com/powertools/6.2/alpha/Zope-zserver-2.2.4-6.alpha.rpm ftp://updates.redhat.com/powertools/6.2/alpha/Zope-ztemplates-2.2.4-6.alpha.rpm i386: ftp://updates.redhat.com/powertools/6.2/i386/Zope-2.2.4-6.i386.rpm ftp://updates.redhat.com/powertools/6.2/i386/Zope-components-2.2.4-6.i386.rpm ftp://updates.redhat.com/powertools/6.2/i386/Zope-core-2.2.4-6.i386.rpm ftp://updates.redhat.com/powertools/6.2/i386/Zope-pcgi-2.2.4-6.i386.rpm ftp://updates.redhat.com/powertools/6.2/i386/Zope-services-2.2.4-6.i386.rpm ftp://updates.redhat.com/powertools/6.2/i386/Zope-zpublisher-2.2.4-6.i386.rpm ftp://updates.redhat.com/powertools/6.2/i386/Zope-zserver-2.2.4-6.i386.rpm ftp://updates.redhat.com/powertools/6.2/i386/Zope-ztemplates-2.2.4-6.i386.rpm sparc: ftp://updates.redhat.com/powertools/6.2/sparc/Zope-2.2.4-6.sparc.rpm ftp://updates.redhat.com/powertools/6.2/sparc/Zope-components-2.2.4-6.sparc.rpm ftp://updates.redhat.com/powertools/6.2/sparc/Zope-core-2.2.4-6.sparc.rpm ftp://updates.redhat.com/powertools/6.2/sparc/Zope-pcgi-2.2.4-6.sparc.rpm ftp://updates.redhat.com/powertools/6.2/sparc/Zope-services-2.2.4-6.sparc.rpm ftp://updates.redhat.com/powertools/6.2/sparc/Zope-zpublisher-2.2.4-6.sparc.rpm ftp://updates.redhat.com/powertools/6.2/sparc/Zope-zserver-2.2.4-6.sparc.rpm ftp://updates.redhat.com/powertools/6.2/sparc/Zope-ztemplates-2.2.4-6.sparc.rpm Red Hat Powertools 7.0: SRPMS: ftp://updates.redhat.com/powertools/7.0/SRPMS/Zope-2.2.4-7.src.rpm alpha: ftp://updates.redhat.com/powertools/7.0/alpha/Zope-2.2.4-7.alpha.rpm ftp://updates.redhat.com/powertools/7.0/alpha/Zope-components-2.2.4-7.alpha.rpm ftp://updates.redhat.com/powertools/7.0/alpha/Zope-core-2.2.4-7.alpha.rpm ftp://updates.redhat.com/powertools/7.0/alpha/Zope-pcgi-2.2.4-7.alpha.rpm ftp://updates.redhat.com/powertools/7.0/alpha/Zope-services-2.2.4-7.alpha.rpm ftp://updates.redhat.com/powertools/7.0/alpha/Zope-zpublisher-2.2.4-7.alpha.rpm ftp://updates.redhat.com/powertools/7.0/alpha/Zope-zserver-2.2.4-7.alpha.rpm ftp://updates.redhat.com/powertools/7.0/alpha/Zope-ztemplates-2.2.4-7.alpha.rpm i386: ftp://updates.redhat.com/powertools/7.0/i386/Zope-2.2.4-7.i386.rpm ftp://updates.redhat.com/powertools/7.0/i386/Zope-components-2.2.4-7.i386.rpm ftp://updates.redhat.com/powertools/7.0/i386/Zope-core-2.2.4-7.i386.rpm ftp://updates.redhat.com/powertools/7.0/i386/Zope-pcgi-2.2.4-7.i386.rpm ftp://updates.redhat.com/powertools/7.0/i386/Zope-services-2.2.4-7.i386.rpm ftp://updates.redhat.com/powertools/7.0/i386/Zope-zpublisher-2.2.4-7.i386.rpm ftp://updates.redhat.com/powertools/7.0/i386/Zope-zserver-2.2.4-7.i386.rpm ftp://updates.redhat.com/powertools/7.0/i386/Zope-ztemplates-2.2.4-7.i386.rpm 7. Verification: MD5 sum Package Name -------------------------------------------------------------------------- 1cee19a4c71066a26ad46ef843a021ec 6.2/SRPMS/Zope-2.2.4-6.src.rpm 8ccb74c33b4615f5a271d8b4020362c9 6.2/alpha/Zope-2.2.4-6.alpha.rpm 907bcbac56f1dde6c721790832c7922e 6.2/alpha/Zope-components-2.2.4-6.alpha.rpm d0f965ede5461c89959b2a90c0e93b08 6.2/alpha/Zope-core-2.2.4-6.alpha.rpm f3498e23a14f994cacfff7c0d8e65c4d 6.2/alpha/Zope-pcgi-2.2.4-6.alpha.rpm c22de50c38a3b355393700569592fdc3 6.2/alpha/Zope-services-2.2.4-6.alpha.rpm 843260a32fca2a0cd1cc6dbcd50c8512 6.2/alpha/Zope-zpublisher-2.2.4-6.alpha.rpm 3955a934c2b99fad187956cc3ec94374 6.2/alpha/Zope-zserver-2.2.4-6.alpha.rpm 1a40476934178b01aae8dbe0b46bdfc2 6.2/alpha/Zope-ztemplates-2.2.4-6.alpha.rpm 129647a28cbeac9659a6717db03a0ef0 6.2/i386/Zope-2.2.4-6.i386.rpm 35f30fe3d68b43849edb63ae3b77136f 6.2/i386/Zope-components-2.2.4-6.i386.rpm 4bc74e05ed6f53d26cc94b5d006f4756 6.2/i386/Zope-core-2.2.4-6.i386.rpm af0e5b0a225870dfc2d7dba1027b34e4 6.2/i386/Zope-pcgi-2.2.4-6.i386.rpm 9a29e9b14cee9c4d44b2c196a64a9f04 6.2/i386/Zope-services-2.2.4-6.i386.rpm f80f0588b445a4f79f8266ca89141826 6.2/i386/Zope-zpublisher-2.2.4-6.i386.rpm b2b5f957de787293361cd737811ae773 6.2/i386/Zope-zserver-2.2.4-6.i386.rpm 5bf7b8c372cc6692e48fe767e4a575a0 6.2/i386/Zope-ztemplates-2.2.4-6.i386.rpm 9cd609052adfa6776e211c460dc21f7d 6.2/sparc/Zope-2.2.4-6.sparc.rpm 485315f636e8f8fc9b7578f45395854c 6.2/sparc/Zope-components-2.2.4-6.sparc.rpm d430518810cc99f671dca3c2a0da5962 6.2/sparc/Zope-core-2.2.4-6.sparc.rpm 18fe9ab287a933d2667738f60c7b3906 6.2/sparc/Zope-pcgi-2.2.4-6.sparc.rpm 2c19519b8b79a53c616a872376f03052 6.2/sparc/Zope-services-2.2.4-6.sparc.rpm 4e539977de9266832b27304a806a6c6a 6.2/sparc/Zope-zpublisher-2.2.4-6.sparc.rpm 3a7862b5756a7244646b9003e293b46e 6.2/sparc/Zope-zserver-2.2.4-6.sparc.rpm 26c1116758fd7503932ae433e90d5eda 6.2/sparc/Zope-ztemplates-2.2.4-6.sparc.rpm bf725481032bb7274d43214313dd5faa 7.0/SRPMS/Zope-2.2.4-7.src.rpm ac9263e51ae7363f87094600310d8361 7.0/alpha/Zope-2.2.4-7.alpha.rpm f35516df480cc1d69c2c32909d98c3d0 7.0/alpha/Zope-components-2.2.4-7.alpha.rpm 7208182e7aa101adc2422ef88aed16b9 7.0/alpha/Zope-core-2.2.4-7.alpha.rpm 3d1c823fc95ad40a5896636b65db85dc 7.0/alpha/Zope-pcgi-2.2.4-7.alpha.rpm 4bb7097532b82a2a19d8589c2bda25ba 7.0/alpha/Zope-services-2.2.4-7.alpha.rpm 084fc2a9557ae11d1c791ac2afd56b1e 7.0/alpha/Zope-zpublisher-2.2.4-7.alpha.rpm e7556ec91a966e911355905f328623ef 7.0/alpha/Zope-zserver-2.2.4-7.alpha.rpm d4ca57128f0e7d853e611e988cf0a842 7.0/alpha/Zope-ztemplates-2.2.4-7.alpha.rpm 75a7a5006bf795de4fd11ecf1fc7b7fa 7.0/i386/Zope-2.2.4-7.i386.rpm 74c87a18942602b2075ed3e948a17360 7.0/i386/Zope-components-2.2.4-7.i386.rpm b06820fd06b0b1c062efc73657ef72bb 7.0/i386/Zope-core-2.2.4-7.i386.rpm 2ab9d8cd4946c89dddc705f2fd1a5df6 7.0/i386/Zope-pcgi-2.2.4-7.i386.rpm d378aba6b5ccd95813252c734960688f 7.0/i386/Zope-services-2.2.4-7.i386.rpm 3d1ad4cd23e722b2d32d732e604e6e1a 7.0/i386/Zope-zpublisher-2.2.4-7.i386.rpm cc478476f6bd734dc4981cf42914ada6 7.0/i386/Zope-zserver-2.2.4-7.i386.rpm bb2bef1616e9eb3693c86cf0564bc140 7.0/i386/Zope-ztemplates-2.2.4-7.i386.rpm These packages are GPG signed by Red Hat, Inc. for security. Our key is available at: http://www.redhat.com/corp/contact.html You can verify each package with the following command: rpm --checksig If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: rpm --checksig --nogpg 8. References: http://www.zope.org/Products/Zope/Hotfix_2001-02-23/security_alert Copyright(c) 2000, 2001 Red Hat, Inc. _______________________________________________ Redhat-watch-list mailing list To unsubscribe, visit: https://listman.redhat.com/mailman/listinfo/redhat-watch-list