r2688 - in zope2.12/trunk/debian (3 files)
arnau at users.alioth.debian.org
arnau at users.alioth.debian.org
Sat Nov 24 06:00:42 UTC 2012
Date: Saturday, November 24, 2012 @ 06:00:40
Author: arnau
Revision: 2688
Fix Restricted Python sandbox escape (CVE-2012-5487).
Added:
zope2.12/trunk/debian/patches/CVE-2012-5487.patch
Modified:
zope2.12/trunk/debian/changelog
zope2.12/trunk/debian/patches/series
Modified: zope2.12/trunk/debian/changelog
===================================================================
--- zope2.12/trunk/debian/changelog 2012-11-24 05:53:43 UTC (rev 2687)
+++ zope2.12/trunk/debian/changelog 2012-11-24 06:00:40 UTC (rev 2688)
@@ -4,6 +4,8 @@
+ Fix Reflexive HTTP header injection (CVE-2012-5486).
+ Fix Timing attack in password validation (CVE-2012-5507).
+ Fix PRNG which wasn't reseeded (CVE-2012-5508).
+ * debian/patches/CVE-2012-5487.patch:
+ + Fix Restricted Python sandbox escape (CVE-2012-5487).
* debian/control:
+ Bump zope.common required version as the debconf template
has been updated to fix #656552.
Added: zope2.12/trunk/debian/patches/CVE-2012-5487.patch
===================================================================
--- zope2.12/trunk/debian/patches/CVE-2012-5487.patch (rev 0)
+++ zope2.12/trunk/debian/patches/CVE-2012-5487.patch 2012-11-24 06:00:40 UTC (rev 2688)
@@ -0,0 +1,13 @@
+Index: zope2.12-2.12.26/source/Zope2/src/AccessControl/SecurityInfo.py
+===================================================================
+--- zope2.12-2.12.26.orig/source/Zope2/src/AccessControl/SecurityInfo.py 2012-11-22 18:57:27.000000000 +0900
++++ zope2.12-2.12.26/source/Zope2/src/AccessControl/SecurityInfo.py 2012-11-24 13:23:20.669183242 +0900
+@@ -311,6 +311,8 @@
+ ModuleSecurityInfo(module_name[:dot]).setDefaultAccess(1)
+ dot = module_name.find('.', dot + 1)
+
++allow_module.__roles__ = ()
++
+ def allow_class(Class):
+ """Allow a class and all of its methods to be used from a
+ restricted Script. The argument Class must be a class."""
Modified: zope2.12/trunk/debian/patches/series
===================================================================
--- zope2.12/trunk/debian/patches/series 2012-11-24 05:53:43 UTC (rev 2687)
+++ zope2.12/trunk/debian/patches/series 2012-11-24 06:00:40 UTC (rev 2688)
@@ -3,3 +3,4 @@
Zope2-webdav_urljoin.patch
Zope2-deb_zopeconf.patch
ZODB3-fix_shebang.patch
+CVE-2012-5487.patch
More information about the pkg-zope-developers
mailing list