Bug#692899: zope2.12: [CVE-2012-5485 to 5508] Multiple vectors corrected within 20121106 fix
Moritz Muehlenhoff
jmm at debian.org
Fri Nov 30 15:07:05 UTC 2012
On Sun, Nov 25, 2012 at 11:07:38AM +0900, Arnaud Fontaine wrote:
> Hello,
>
> Luciano Bello <luciano at debian.org> writes:
>
> > Hi, please see : http://seclists.org/oss-sec/2012/q4/249
> >
> > Can you confirm if any of the Debian packages are affected?
>
> As far as I could find (not clear in the upstream changelog):
>
> version 2.12.26:
> * LP #1071067 fixes CVE 2012-5507, CVE 2012-5508.
> * LP #930812 fixes CVE 2012-5486.
>
> version 2.12.21:
> * LP #1079238 fixes CVE 2012-5489.
>
> According to the upstream changelog, LP #1047318 seems to fix a security
> bug, but I could not find it in zope2 launchpad nor anywhere else.
>
> The following CVEs are not affecting Zope2 package (Plone/Zope3/..)
> (within brackets is the Product/module/... affected along with the
> corresponding filename in Plone Hotfix):
For clarification, so that I can update the Debian Security Tracker,
none of these CVE IDs are packaged in Debian, right?
(I can't find a Plone package, but these could be packaged through
one of the many zope.* packages?)
> * CVE-2012-5485 (Plone: registerConfiglet.py)
> http://plone.org/products/plone/security/advisories/20121106/01
>
> * CVE-2012-5488/CVE-2012-5494/CVE-2012-5495/CVE-2012-5499/CVE-2012-5506
> (Plone-specific: python_scripts.py)
> http://plone.org/products/plone/security/advisories/20121106/04
> http://plone.org/products/plone/security/advisories/20121106/10
> http://plone.org/products/plone/security/advisories/20121106/11
> http://plone.org/products/plone/security/advisories/20121106/15
> http://plone.org/products/plone/security/advisories/20121106/22
>
> * CVE-2012-5490 (kss: kssdevel.py)
> http://plone.org/products/plone/security/advisories/20121106/06
>
> * CVE-2012-5491/CVE-2012-5504 (z3c.form (Zope3): widget_traversal.py)
> http://plone.org/products/plone/security/advisories/20121106/12
> http://plone.org/products/plone/security/advisories/20121106/20
>
> * CVE-2012-5492 (Plone: uid_catalog.py)
> http://plone.org/products/plone/security/advisories/20121106/08
>
> * CVE-2012-5493 (CMFCore: gtbn.py)
> http://plone.org/products/plone/security/advisories/20121106/09
>
> * CVE-2012-5496 (Plone: kupu_spellcheck.py)
> http://plone.org/products/plone/security/advisories/20121106/09
>
> * CVE-2012-5497 (Plone: membership_tool.py)
> http://plone.org/products/plone/security/advisories/20121106/13
>
> * CVE-2012-5498 (Plone: queryCatalog.py)
> http://plone.org/products/plone/security/advisories/20121106/14
>
> * CVE-2012-5500 (Plone: renameObjectsByPaths.py)
> http://plone.org/products/plone/security/advisories/20121106/15
>
> * CVE-2012-5501 (Plone: at_download.py)
> http://plone.org/products/plone/security/advisories/20121106/17
>
> * CVE-2012-5502 (PortalTransforms: safe_html.py)
> http://plone.org/products/plone/security/advisories/20121106/18
>
> * CVE-2012-5503 (Plone-specific: ObjectManager: ftp.py)
> http://plone.org/products/plone/security/advisories/20121106/19
Cheers,
Moritz
More information about the pkg-zope-developers
mailing list