[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[debian-users:23606] [SECURITY] new version of zope released (from debian-security-announce@lists.debian.org)



すでに<http://www.debian.org/security/2000/20000812>にも出ていますが、
potato以降で提供されているzopeパッケージにセキュリティ上の問題が
発見され、それを修正したバージョン2.1.6-5.1がリリースされています。
(slink以前にzopeパッケージはありません)

この問題は、リモートから本来与えられていない権限でアクセスできて
しまうというものです。くわしくは、原文を参照してください。

From: mstone@xxxxxxxxxxxxxxxxxx (Michael Stone)
Subject: [SECURITY] new version of zope released
Date: Fri, 11 Aug 2000 20:30:47 -0400 (EDT)
> -------------------------------------------------------------------------
> Debian Security Advisory                             security@debian.org
> http://www.debian.org/security/                            Michael Stone
> August 11, 2000
> -------------------------------------------------------------------------

> Package: zope
> Vulnerability type: remote unprivileged access
> Debian-specific: no

> On versions of Zope prior to 2.2beta1 it was possible for a user with the
> ability to edit DTML can gain unauthorized access to extra roles during a
> request. 

> Debian 2.1 (slink) did not include zope, and is not vulnerable. The widely-used
> Debian 2.2 (potato) pre-release does include zope and is vulnerable to this
> issue. A fixed package for Debian 2.2 (potato) is available in zope 2.1.6-5.1.

(以下省略)
-- 
喜瀬“冬猫”浩@南国沖縄