r2692 - in zope2.12/trunk/debian (3 files)

arnau at users.alioth.debian.org arnau at users.alioth.debian.org
Thu Feb 28 09:44:53 UTC 2013 

    Date: Thursday, February 28, 2013 @ 09:44:52
  Author: arnau
Revision: 2692

Prepare for upload following discussion on #692899.

Modified:
  zope2.12/trunk/debian/changelog
  zope2.12/trunk/debian/patches/CVE-2012-5505.patch
Deleted:
  zope2.12/trunk/debian/patches/CVE-2012-5487.patch

Modified: zope2.12/trunk/debian/changelog
===================================================================
--- zope2.12/trunk/debian/changelog	2012-11-26 02:38:51 UTC (rev 2691)
+++ zope2.12/trunk/debian/changelog	2013-02-28 09:44:52 UTC (rev 2692)
@@ -1,19 +1,17 @@
-zope2.12 (2.12.26-1) UNRELEASED; urgency=high
+zope2.12 (2.12.26-1) unstable; urgency=high
 
-  * New upstream release.
+  * New upstream release. Closes: #692899.
     + Fix Reflexive HTTP header injection (CVE-2012-5486).
     + Fix Timing attack in password validation (CVE-2012-5507).
     + Fix PRNG which wasn't reseeded (CVE-2012-5508).
-  * debian/patches/CVE-2012-5487.patch:
-    + Fix Restricted Python sandbox escape (CVE-2012-5487).
   * debian/patches/CVE-2012-5505.patch:
     + Fix Attempting to access a view with no name returns an internal
-      data structure (CVE-2012-5505).
+      data structure (CVE-2012-5505). Thanks to Tres Seaver. Closes: #692899.
   * debian/control:
     + Bump zope.common required version as the debconf template
-      has been updated to fix #656552.
+      has been updated. Closes: #656552.
 
- -- Arnaud Fontaine <arnau at debian.org>  Sat, 24 Nov 2012 13:36:11 +0900
+ -- Arnaud Fontaine <arnau at debian.org>  Thu, 28 Feb 2013 18:21:11 +0900
 
 zope2.12 (2.12.23-1) unstable; urgency=low
 

Deleted: zope2.12/trunk/debian/patches/CVE-2012-5487.patch
===================================================================
--- zope2.12/trunk/debian/patches/CVE-2012-5487.patch	2012-11-26 02:38:51 UTC (rev 2691)
+++ zope2.12/trunk/debian/patches/CVE-2012-5487.patch	2013-02-28 09:44:52 UTC (rev 2692)
@@ -1,13 +0,0 @@
-Index: zope2.12-2.12.26/source/Zope2/src/AccessControl/SecurityInfo.py
-===================================================================
---- zope2.12-2.12.26.orig/source/Zope2/src/AccessControl/SecurityInfo.py	2012-11-22 18:57:27.000000000 +0900
-+++ zope2.12-2.12.26/source/Zope2/src/AccessControl/SecurityInfo.py	2012-11-24 13:23:20.669183242 +0900
-@@ -311,6 +311,8 @@
-         ModuleSecurityInfo(module_name[:dot]).setDefaultAccess(1)
-         dot = module_name.find('.', dot + 1)
- 
-+allow_module.__roles__ = ()
-+
- def allow_class(Class):
-     """Allow a class and all of its methods to be used from a
-     restricted Script.  The argument Class must be a class."""

Modified: zope2.12/trunk/debian/patches/CVE-2012-5505.patch
===================================================================
--- zope2.12/trunk/debian/patches/CVE-2012-5505.patch	2012-11-26 02:38:51 UTC (rev 2691)
+++ zope2.12/trunk/debian/patches/CVE-2012-5505.patch	2013-02-28 09:44:52 UTC (rev 2692)
@@ -1,23 +1,28 @@
-Index: zope2.12-2.12.26/source/zope.traversing/src/zope/traversing/namespace.py
-===================================================================
---- zope2.12-2.12.26.orig/source/zope.traversing/src/zope/traversing/namespace.py	2012-11-22 19:00:29.000000000 +0900
-+++ zope2.12-2.12.26/source/zope.traversing/src/zope/traversing/namespace.py	2012-11-24 13:16:40.229707666 +0900
-@@ -31,7 +31,7 @@
- from zope.traversing.interfaces import IEtcNamespace
- from zope.traversing.interfaces import IPathAdapter
- from zope.traversing.interfaces import ITraversable
+=== modified file 'src/zope/annotation/configure.zcml'
+--- src/zope/annotation/configure.zcml	2011-02-15 15:46:28 +0000
++++ src/zope/annotation/configure.zcml	2013-01-27 18:00:07 +0000
+@@ -8,10 +8,4 @@
+       factory=".attribute.AttributeAnnotations"
+       />
+ 
+-  <adapter
+-      for=".interfaces.IAttributeAnnotatable *"
+-      provides=".interfaces.IAnnotations"
+-      factory=".attribute.AttributeAnnotations"
+-      />
 -
-+from zope.traversing.interfaces import TraversalError
- 
- class UnexpectedParameters(LocationError):
-     "Unexpected namespace parameters were provided."
-@@ -325,6 +325,9 @@
-         self.request = request
- 
-     def traverse(self, name, ignored):
-+        if not name:
-+            raise TraversalError(self.context, name)
-+
-         view = zope.component.queryMultiAdapter((self.context, self.request),
-                                                 name=name)
-         if view is None:
+ </configure>
+
+=== modified file 'src/zope/annotation/tests/test_configure.py'
+--- src/zope/annotation/tests/test_configure.py	2011-02-15 15:46:28 +0000
++++ src/zope/annotation/tests/test_configure.py	2013-01-27 18:01:03 +0000
+@@ -36,7 +36,7 @@
+         zope.configuration.xmlconfig.XMLConfig(
+             'configure.zcml', zope.annotation)()
+         self.assertEqual(u_count + 2, len(list(gsm.registeredUtilities())))
+-        self.assertEqual(a_count + 2, len(list(gsm.registeredAdapters())))
++        self.assertEqual(a_count + 1, len(list(gsm.registeredAdapters())))
+         self.assertEqual(
+             s_count, len(list(gsm.registeredSubscriptionAdapters())))
+         self.assertEqual(h_count, len(list(gsm.registeredHandlers())))
+

More information about the pkg-zope-developers mailing list