Date: Tue, 19 Dec 2000 22:22:51 -0700
From: Linux Mandrake Security Team security@LINUX-MANDRAKE.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: MDKSA-2000:086 – Zope update
Linux-Mandrake Security Update Advisory
Package name: Zope
Date: December 19th, 2000
Advisory ID: MDKSA-2000:086
Affected versions: 7.1, 7.2
Problem Description:
A potential security issue exists in versions of Zope up to and
including 2.2.4. This issue involves incorrect protection of a data
updating method on Image and File objects. Because the method was
not correctly protected, it was possible for users with DTML
editing privileges to update the raw data of a File or Image object
via DTML though they did not have editing privileges on the objects
themselves. This update replaces the previous Zope update noted in
MDKSA-2000:083.
Please verify the update prior to upgrading to ensure the
integrity of the downloaded package. You can do this with the
command:
rpm –checksig package.rpm
You can get the GPG public key of the Linux-Mandrake Security Team
at
http://www.linux-mandrake.com/en/security/RPM-GPG-KEYS
If you use MandrakeUpdate, the verification of md5 checksum and GPG
signature is performed automatically for you.
Linux-Mandrake 7.1:
1a27224eda3908f1797f8373cb0a997e
7.1/RPMS/Zope-2.2.4-1.2mdk.i586.rpm
0c4b6927178dae9addb86ad3b58bcb04
7.1/RPMS/Zope-components-2.2.4-1.2mdk.i586.rpm
41f3a790bf3bebb4c49e8ced65a2eec2
7.1/RPMS/Zope-core-2.2.4-1.2mdk.i586.rpm
2697aac6c282d0ff1df6be67c452f0f1
7.1/RPMS/Zope-pcgi-2.2.4-1.2mdk.i586.rpm
6170e2801ae6ff70e0a8d7115abcf2ab
7.1/RPMS/Zope-services-2.2.4-1.2mdk.i586.rpm
f532b272a002b2cadea796644cb55c24
7.1/RPMS/Zope-zpublisher-2.2.4-1.2mdk.i586.rpm
c46eec7ed0490a72ae1b40fda4697891
7.1/RPMS/Zope-zserver-2.2.4-1.2mdk.i586.rpm
8b20f57bf02811245b6c398deb908fb3
7.1/RPMS/Zope-ztemplates-2.2.4-1.2mdk.i586.rpm
8fd0a77af27e4f10b5c7d72aca007a60
7.1/SRPMS/Zope-2.2.4-1.2mdk.src.rpm
Linux-Mandrake 7.2:
977521271b02081ead2e692486153603
7.2/RPMS/Zope-2.2.4-1.2mdk.i586.rpm
9469e68a5bad3616f55968bb2a03bdf8
7.2/RPMS/Zope-components-2.2.4-1.2mdk.i586.rpm
2d613ea11d316604c92d87c38850624b
7.2/RPMS/Zope-core-2.2.4-1.2mdk.i586.rpm
029cb83d8dff5c8062c41dcd2643a6fa
7.2/RPMS/Zope-pcgi-2.2.4-1.2mdk.i586.rpm
06dc417709a6d0013213d54361a9fe31
7.2/RPMS/Zope-services-2.2.4-1.2mdk.i586.rpm
f32ab4d27616c1ee74c1510cbb2f9ff9
7.2/RPMS/Zope-zpublisher-2.2.4-1.2mdk.i586.rpm
f95628b3a712688df2810842bd9136ba
7.2/RPMS/Zope-zserver-2.2.4-1.2mdk.i586.rpm
9155e0f3e372b7b7133ad2445cca6522
7.2/RPMS/Zope-ztemplates-2.2.4-1.2mdk.i586.rpm
8fd0a77af27e4f10b5c7d72aca007a60
7.2/SRPMS/Zope-2.2.4-1.2mdk.src.rpm
To upgrade automatically, use
<<MandrakeUpdate>>.
If you want to upgrade manually, download the updated package
from one of our FTP server mirrors and uprade with “rpm -Uvh
package_name”.
You can download the updates directly from:
ftp://ftp.linux.tucows.com/pub/distributions/Mandrake/Mandrake/updates
ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates
Or try one of the other mirrors listed at:
http://www.linux-mandrake.com/en/ftp.php3.
Updated packages are available in the “updates/[ver]/RPMS/”
directory. For example, if you are looking for an updated RPM
package for Linux-Mandrake 7.1, look for it in “updates/7.1/RPMS/”.
Updated source RPMs are available as well, but you generally do not
need to download them.
Please be aware that sometimes it takes the mirrors a few hours
to update, so if you want an immediate upgrade, please use one of
the two above-listed mirrors.
You can view other security advisories for Linux-Mandrake
at:
http://www.linux-mandrake.com/en/security/
If you want to report vulnerabilities, please contact
Linux-Mandrake has two security-related mailing list services
that anyone can subscribe to:
security-announce@linux-mandrake.com
Linux-Mandrake’s security announcements mailing list. Only
announcements are sent to this list and it is read-only.
security-discuss@linux-mandrake.com
Linux-Mandrake’s security discussion mailing list. This list is
open to anyone to discuss Linux-Mandrake security specifically and
Linux security in general.
To subscribe to either list, send a message to sympa@linux-mandrake.com with
“subscribe [listname]” in the body of the message.
To remove yourself from either list, send a message to sympa@linux-mandrake.com with
“unsubscribe [listname]” in the body of the message.
To get more information on either list, send a message to
sympa@linux-mandrake.com with
“info [listname]” in the body of the message.
Optionally, you can use the web interface to subscribe to or
unsubscribe from either list: