[Pkg-zope-developers] Bug#313644: marked as done (zope2.7: Local security bug)

Debian Bug Tracking System owner at bugs.debian.org
Mon Jul 18 13:18:38 UTC 2005 

Your message dated Mon, 18 Jul 2005 09:02:15 -0400
with message-id <E1DuVGB-00057r-00 at newraff.debian.org>
and subject line Bug#313644: fixed in zope2.7 2.7.5-3
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 14 Jun 2005 19:46:40 +0000
>From dimka at uvw.ru Tue Jun 14 12:46:40 2005
Return-path: <dimka at uvw.ru>
Received: from uvw.ru [81.9.63.15] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1DiHMu-0004g9-00; Tue, 14 Jun 2005 12:46:40 -0700
Received: from nb.dhome.lan ([10.255.1.22] helo=localhost.localdomain)
	by uvw.ru with esmtp (Exim 4.50)
	id 1DiHMI-0000Xp-QN
	for submit at bugs.debian.org; Tue, 14 Jun 2005 23:46:02 +0400
Received: from dimka by localhost.localdomain with local (Exim 4.50)
	id 1DiHM9-0001cH-9g
	for submit at bugs.debian.org; Tue, 14 Jun 2005 23:45:53 +0400
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: "Dmitry E. Oboukhov" <dimka at uvw.ru>
To: Debian Bug Tracking System <submit at bugs.debian.org>
Subject: zope2.7: Local security bug
X-Mailer: reportbug 3.8
Date: Tue, 14 Jun 2005 23:45:53 +0400
Message-Id: <E1DiHM9-0001cH-9g at localhost.localdomain>
Delivered-To: submit at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

Package: zope2.7
Severity: grave
Justification: user security hole


uvw.ru:[/home/dimka]# umask
022

uvw.ru:[/home/dimka]# mkzope2.7instance
...
[skipped]
...
Directory: /tmp/testmkzope
...
[skipped]


uvw.ru:[/home/dimka]# ls -lR /tmp/testmkzope|grep inituser
-rw-r--r--  1 root root   40 2005-06-14 23:40 inituser
^^^^^^^^^^
     Problem:

uvw.ru:[/home/dimka]$ cat /tmp/testmkzope/inituser 
dimka:{SHA}QL0AFWMIX8NRZTKeof9cXsvbvu8=

wo-a-la!

all users readable
this file contain administrator password (hash)

I whrite small cgi-script and crack/hack site (zope) (theoretically ;))

PS: sorry my bad english!
~~~~~~~~~~~~~~~~~~~~~~~~~


-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.11-1-686
Locale: LANG=ru_RU.KOI8-R, LC_CTYPE=ru_RU.KOI8-R (charmap=KOI8-R)

---------------------------------------
Received: (at 313644-close) by bugs.debian.org; 18 Jul 2005 13:12:23 +0000
>From katie at ftp-master.debian.org Mon Jul 18 06:12:23 2005
Return-path: <katie at ftp-master.debian.org>
Received: from newraff.debian.org [208.185.25.31] (mail)
	by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
	id 1DuVPz-0005aD-00; Mon, 18 Jul 2005 06:12:23 -0700
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
	id 1DuVGB-00057r-00; Mon, 18 Jul 2005 09:02:15 -0400
From: A Mennucc1 <mennucc1 at debian.org>
To: 313644-close at bugs.debian.org
X-Katie: $Revision: 1.56 $
Subject: Bug#313644: fixed in zope2.7 2.7.5-3
Message-Id: <E1DuVGB-00057r-00 at newraff.debian.org>
Sender: Archive Administrator <katie at ftp-master.debian.org>
Date: Mon, 18 Jul 2005 09:02:15 -0400
Delivered-To: 313644-close at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-CrossAssassin-Score: 8

Source: zope2.7
Source-Version: 2.7.5-3

We believe that the bug you reported is fixed in the latest version of
zope2.7, which is due to be installed in the Debian FTP archive:

zope2.7_2.7.5-3.diff.gz
  to pool/main/z/zope2.7/zope2.7_2.7.5-3.diff.gz
zope2.7_2.7.5-3.dsc
  to pool/main/z/zope2.7/zope2.7_2.7.5-3.dsc
zope2.7_2.7.5-3_i386.deb
  to pool/main/z/zope2.7/zope2.7_2.7.5-3_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 313644 at bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
A Mennucc1 <mennucc1 at debian.org> (supplier of updated zope2.7 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster at debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 17 Jul 2005 20:07:31 +0200
Source: zope2.7
Binary: zope2.7
Architecture: source i386
Version: 2.7.5-3
Distribution: unstable
Urgency: low
Maintainer: Debian Zope team <pkg-zope-developers at lists.alioth.debian.org>
Changed-By: A Mennucc1 <mennucc1 at debian.org>
Description: 
 zope2.7    - Open Source Web Application Server
Closes: 301067 305807 305936 309428 310790 313473 313621 313644
Changes: 
 zope2.7 (2.7.5-3) unstable; urgency=low
 .
   * Kindly warn users trying to use test suites that
     the python-profiler is not in main.
     Thanks martin f krafft (closes: #305936,#301067)
   * Set permission and ownership of inituser.
     Thanks Dmitry E. Oboukhov and Martin f Krafft (closes: #313644,#313621)
   * Error in query using the test "tab" of a ZSQL Method
     Thanks Paolo Alexis Falcone and J Alet (closes: #309428,#305807)
   * Bashism in mkzope2.7instance.
     Thanks  Carlos Laviola and Martin f Krafft (closes: #313473)
   * Stupid awk error.
     Thanks Fabio Tranchitella and martin f krafft (closes: #310790)
Files: 
 1e7fc1d49207c690fc0d8979dfafceb3 894 web optional zope2.7_2.7.5-3.dsc
 55f39f92b9289c66d969e4d4f4f4280a 51911 web optional zope2.7_2.7.5-3.diff.gz
 a29ceae87a6e50081de122837ed776a6 2626176 web optional zope2.7_2.7.5-3_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFC2qK29B/tjjP8QKQRAg/TAJ9DPciFU0EFuoidQbod9VBIq0ujcwCeM0tc
77BxIt95GKerTSOnhaqQrmE=
=90+S
-----END PGP SIGNATURE-----

More information about the Pkg-zope-developers mailing list