Debian Security Advisory

zope -- unauthorized escalation of privilege (update)

Date Reported:

21 Aug 2000

Affected Packages:

zope

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2000-0725.

More information:

On versions of Zope prior to 2.2.1 it was possible for a user with the ability to edit DTML to gain unauthorized access to extra roles during a request. A fix was previously announced in the Debian GNU/Linux zope package 2.1.6-5.1, but that package did not fully address the issue and has been superseded by this announcement. More information is available at http://www.zope.org/Products/Zope/Hotfix_2000-08-17/security_alert.

Debian GNU/Linux 2.1 (slink) did not include zope, and is not vulnerable. Debian GNU/Linux 2.2 (potato) does include zope and is vulnerable to this issue. A fixed package for Debian GNU/Linux 2.2 (potato) is available in zope 2.1.6-5.2.

Fixed in:

Debian GNU/Linux 2.2 (potato)

Source:: http://security.debian.org/dists/potato/updates/main/source/zope_2.1.6-5.2.diff.gz; http://security.debian.org/dists/potato/updates/main/source/zope_2.1.6-5.2.dsc; http://security.debian.org/dists/potato/updates/main/source/zope_2.1.6.orig.tar.gz
alpha:: http://security.debian.org/dists/potato/updates/main/binary-alpha/zope_2.1.6-5.2_alpha.deb
arm:: http://security.debian.org/dists/potato/updates/main/binary-arm/zope_2.1.6-5.2_arm.deb
i386:: http://security.debian.org/dists/potato/updates/main/binary-i386/zope_2.1.6-5.2_i386.deb
m68k:: http://security.debian.org/dists/potato/updates/main/binary-m68k/zope_2.1.6-5.2_m68k.deb
powerpc:: http://security.debian.org/dists/potato/updates/main/binary-powerpc/zope_2.1.6-5.2_powerpc.deb
sparc:: http://security.debian.org/dists/potato/updates/main/binary-sparc/zope_2.1.6-5.2_sparc.deb