3571e53040
patches for easier mirroring, to eliminate a special copy, to make www.freebsd.org/security a full copy of security.freebsd.org and be eventually be the same. For now files are just sitting there. The symlinks are missing. Discussed on: www (repository location) Discussed with: simon (so)
92 lines
3.4 KiB
Text
92 lines
3.4 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
|
|
=============================================================================
|
|
FreeBSD-SA-01:06 Security Advisory
|
|
FreeBSD, Inc.
|
|
|
|
Topic: zope vulnerability allows escalation of privileges
|
|
|
|
Category: ports
|
|
Module: zope
|
|
Announced: 2001-01-15
|
|
Credits: Erik Enge
|
|
Affects: Ports collection prior to the correction date.
|
|
Corrected: 2000-12-20
|
|
Vendor status: Patch released
|
|
FreeBSD only: NO
|
|
|
|
I. Background
|
|
|
|
zope is an object-based dynamic web application platform.
|
|
|
|
II. Problem Description
|
|
|
|
The zope port, versions prior to 2.2.4, contains a vulnerability due
|
|
to the computation of local roles not climbing the correct hierarchy
|
|
of folders, sometimes granting local roles inappropriately. This may
|
|
allow users with privileges in one folder to gain the same privileges
|
|
in another folder.
|
|
|
|
The zope port is not installed by default, nor is it "part of FreeBSD"
|
|
as such: it is part of the FreeBSD ports collection, which contains
|
|
nearly 4500 third-party applications in a ready-to-install format.
|
|
The ports collections shipped with FreeBSD 3.5.1 and 4.2 contain this
|
|
problem since it was discovered after the releases.
|
|
|
|
FreeBSD makes no claim about the security of these third-party
|
|
applications, although an effort is underway to provide a security
|
|
audit of the most security-critical ports.
|
|
|
|
III. Impact
|
|
|
|
Zope users with privileges in one folder may be able to gain the same
|
|
privileges in other folders.
|
|
|
|
If you have not chosen to install the zope port/package, then your
|
|
system is not vulnerable to this problem.
|
|
|
|
IV. Workaround
|
|
|
|
Deinstall the zope port/package, if you have installed it.
|
|
|
|
V. Solution
|
|
|
|
One of the following:
|
|
|
|
1) Upgrade your entire ports collection and rebuild the zope port.
|
|
|
|
2) Deinstall the old package and install a new package dated after the
|
|
correction date, obtained from:
|
|
|
|
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/www/zope-2.2.4.tgz
|
|
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/www/zope-2.2.4.tgz
|
|
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/www/zope-2.2.4.tgz
|
|
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/www/zope-2.2.4.tgz
|
|
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/www/zope-2.2.4.tgz
|
|
|
|
3) download a new port skeleton for the zope port from:
|
|
|
|
http://www.freebsd.org/ports/
|
|
|
|
and use it to rebuild the port.
|
|
|
|
4) Use the portcheckout utility to automate option (3) above. The
|
|
portcheckout port is available in /usr/ports/devel/portcheckout or the
|
|
package can be obtained from:
|
|
|
|
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz
|
|
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz
|
|
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz
|
|
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz
|
|
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz
|
|
|
|
-----BEGIN PGP SIGNATURE-----
|
|
Version: GnuPG v1.0.4 (FreeBSD)
|
|
Comment: For info see http://www.gnupg.org
|
|
|
|
iQCVAwUBOmN6UVUuHi5z0oilAQGVdAP/TPreDK7sB21+F5wO6KAWKBZe4NZIRAlt
|
|
aajsBSTmpCYGtQ1dbsIeMUtTYOzdR8FKO0CPYfZbl1cjGljW3HpWIus0ildznNeA
|
|
LznyYR9fwoSNU0Vh9xtqZ3OolCGw+GY98Wg55RcgToDDxeNnT4ZSGZnf4zdwQw9S
|
|
QbDfN6Br1oM=
|
|
=c035
|
|
-----END PGP SIGNATURE-----
|