dcsimg
Linux Today: Linux News On Internet Time.




Current Newswire:

More on LinuxToday

Linux-Mandrake Security Update Advisory: Zope update

Dec 20, 2000, 21:42 (0 Talkback[s])

WEBINAR:
On-Demand

Desktop-as-a-Service Designed for Any Cloud ? Nutanix Frame


Date: Tue, 19 Dec 2000 22:22:51 -0700
From: Linux Mandrake Security Team security@LINUX-MANDRAKE.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: MDKSA-2000:086 - Zope update

                Linux-Mandrake Security Update Advisory


Package name:           Zope
Date:                   December 19th, 2000
Advisory ID:            MDKSA-2000:086

Affected versions:      7.1, 7.2

Problem Description:

A potential security issue exists in versions of Zope up to and including 2.2.4. This issue involves incorrect protection of a data updating method on Image and File objects. Because the method was not correctly protected, it was possible for users with DTML editing privileges to update the raw data of a File or Image object via DTML though they did not have editing privileges on the objects themselves. This update replaces the previous Zope update noted in MDKSA-2000:083.

Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command:
rpm --checksig package.rpm
You can get the GPG public key of the Linux-Mandrake Security Team at
http://www.linux-mandrake.com/en/security/RPM-GPG-KEYS
If you use MandrakeUpdate, the verification of md5 checksum and GPG signature is performed automatically for you.

Linux-Mandrake 7.1:
1a27224eda3908f1797f8373cb0a997e 7.1/RPMS/Zope-2.2.4-1.2mdk.i586.rpm
0c4b6927178dae9addb86ad3b58bcb04 7.1/RPMS/Zope-components-2.2.4-1.2mdk.i586.rpm
41f3a790bf3bebb4c49e8ced65a2eec2 7.1/RPMS/Zope-core-2.2.4-1.2mdk.i586.rpm
2697aac6c282d0ff1df6be67c452f0f1 7.1/RPMS/Zope-pcgi-2.2.4-1.2mdk.i586.rpm
6170e2801ae6ff70e0a8d7115abcf2ab 7.1/RPMS/Zope-services-2.2.4-1.2mdk.i586.rpm
f532b272a002b2cadea796644cb55c24 7.1/RPMS/Zope-zpublisher-2.2.4-1.2mdk.i586.rpm
c46eec7ed0490a72ae1b40fda4697891 7.1/RPMS/Zope-zserver-2.2.4-1.2mdk.i586.rpm
8b20f57bf02811245b6c398deb908fb3 7.1/RPMS/Zope-ztemplates-2.2.4-1.2mdk.i586.rpm
8fd0a77af27e4f10b5c7d72aca007a60 7.1/SRPMS/Zope-2.2.4-1.2mdk.src.rpm

Linux-Mandrake 7.2:
977521271b02081ead2e692486153603 7.2/RPMS/Zope-2.2.4-1.2mdk.i586.rpm
9469e68a5bad3616f55968bb2a03bdf8 7.2/RPMS/Zope-components-2.2.4-1.2mdk.i586.rpm
2d613ea11d316604c92d87c38850624b 7.2/RPMS/Zope-core-2.2.4-1.2mdk.i586.rpm
029cb83d8dff5c8062c41dcd2643a6fa 7.2/RPMS/Zope-pcgi-2.2.4-1.2mdk.i586.rpm
06dc417709a6d0013213d54361a9fe31 7.2/RPMS/Zope-services-2.2.4-1.2mdk.i586.rpm
f32ab4d27616c1ee74c1510cbb2f9ff9 7.2/RPMS/Zope-zpublisher-2.2.4-1.2mdk.i586.rpm
f95628b3a712688df2810842bd9136ba 7.2/RPMS/Zope-zserver-2.2.4-1.2mdk.i586.rpm
9155e0f3e372b7b7133ad2445cca6522 7.2/RPMS/Zope-ztemplates-2.2.4-1.2mdk.i586.rpm
8fd0a77af27e4f10b5c7d72aca007a60 7.2/SRPMS/Zope-2.2.4-1.2mdk.src.rpm

To upgrade automatically, use <<MandrakeUpdate>>.

If you want to upgrade manually, download the updated package from one of our FTP server mirrors and uprade with "rpm -Uvh package_name".

You can download the updates directly from:
ftp://ftp.linux.tucows.com/pub/distributions/Mandrake/Mandrake/updates
ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates

Or try one of the other mirrors listed at:

http://www.linux-mandrake.com/en/ftp.php3.

Updated packages are available in the "updates/[ver]/RPMS/" directory. For example, if you are looking for an updated RPM package for Linux-Mandrake 7.1, look for it in "updates/7.1/RPMS/". Updated source RPMs are available as well, but you generally do not need to download them.

Please be aware that sometimes it takes the mirrors a few hours to update, so if you want an immediate upgrade, please use one of the two above-listed mirrors.

You can view other security advisories for Linux-Mandrake at:

http://www.linux-mandrake.com/en/security/

If you want to report vulnerabilities, please contact

security@linux-mandrake.com

Linux-Mandrake has two security-related mailing list services that anyone can subscribe to:

security-announce@linux-mandrake.com

Linux-Mandrake's security announcements mailing list. Only announcements are sent to this list and it is read-only.

security-discuss@linux-mandrake.com

Linux-Mandrake's security discussion mailing list. This list is open to anyone to discuss Linux-Mandrake security specifically and Linux security in general.

To subscribe to either list, send a message to sympa@linux-mandrake.com with "subscribe [listname]" in the body of the message.

To remove yourself from either list, send a message to sympa@linux-mandrake.com with "unsubscribe [listname]" in the body of the message.

To get more information on either list, send a message to sympa@linux-mandrake.com with "info [listname]" in the body of the message.

Optionally, you can use the web interface to subscribe to or unsubscribe from either list:

http://www.linux-mandrake.com/en/flists.php3#security