Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 433
Alerts This Week
Warning Icon 1 433

Debian: DSA-043-1 Critical Zope Access Issues Remote Threat

debian
Calendar Grey March 9, 2001
Debian Logo
Addressing critical weaknesses in Zope modules is essential for preserving the security and robustness of the Debian environment.
This advisory covers several vulnerabilities in Zope that have been addressed.

Summary

This advisory covers several vulnerabilities in Zope that have been
addressed.

1. Hotfix 08_09_2000 "Zope security alert and hotfix product"

The issue involves the fact that the getRoles method of user objects
contained in the default UserFolder implementation returns a mutable
Python type. Because the mutable object is still associated with
the persistent User object, users with the ability to edit DTML
could arrange to give themselves extra roles for the duration of a
single request by mutating the roles list as a part of the request
processing.

2. Hotfix 2000-10-02 "ZPublisher security update"

It is sometimes possible to access, through an URL only, objects
protected by a role which the user has in some context, but not in
the context of the accessed object.

3. Hotfix 2000-10-11 "ObjectManager subscripting"

The issue involves the fact that the 'subscript notation' that can
be used to access items of ObjectManagers (Folders) did not
correctly...

Read the Full Advisory

Severity
critical
Lowest
Low
Medium
High
Critical

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.