Red Hat alert: New Zope packages are available

Posted by dave on Feb 26, 2001 11:42 AM EDT
Mailing list
Mail this story
Print this story

New Zope packages are available which fix numerous security vulnerabilities.

                   Red Hat, Inc. Red Hat Security Advisory

Synopsis:          New Zope packages are available
Advisory ID:       RHSA-2001:021-06
Issue date:        2001-02-24
Updated on:        2001-02-26
Product:           Red Hat Powertools
Cross references:  
Obsoletes:         RHSA-2000-135 RHSA-2000-125

1. Topic:

New Zope packages are available which fix numerous security 

2. Relevant releases/architectures:

Red Hat Powertools 6.2 - alpha, i386, sparc

Red Hat Powertools 7.0 - alpha, i386

3. Problem description:

>From the Zope advisory:

"This hotfix addresses and [sic] important security issue that affects Zope
versions up to and including Zope 2.3.1 b1.

 The issue is related to ZClasses in that a user with through-the-web 
scripting capabilities on a Zope site can view and assign class 
attributes to ZClasses, possibly allowing them to make inappropriate 
changes to ZClass instances. 

 This patch also fixes problems in the ObjectManager, PropertyManager, 
and PropertySheet classes related to mutability of method return values 
which could be perceived as a security problem.

 We *highly* recommend that any Zope site running versions of Zope up to 
and including 2.3.1 b1 have this hotfix product installed to mitigate 
these issues if the site is accessible by untrusted users who have 
through-the-web scripting privileges."

The updated packages include this new hotfix.

4. Solution:

*NOTE* This advisory supercedes all other Zope and Zope-Hotfix advisories 
from Red Hat, Inc.

To update all RPMs for your particular architecture, run:

rpm -Fvh 

where  is a list of the RPMs you wish to upgrade.  Only those
RPMs which are currently installed will be updated.  Those RPMs which are
not installed but included in the list will not be updated.  Note that you
can also use wildcards (*.rpm) if your current directly *only* contains 
desired RPMs.

Please note that this update is also available via Red Hat Network.  Many
people find this an easier way to apply updates.  To use Red Hat Network,
launch the Red Hat Update Agent with the following command:


This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

5. Bug IDs fixed ( for more info):

6. RPMs required:

Red Hat Powertools 6.2:





Red Hat Powertools 7.0:




7. Verification:

MD5 sum                           Package Name
1cee19a4c71066a26ad46ef843a021ec  6.2/SRPMS/Zope-2.2.4-6.src.rpm
8ccb74c33b4615f5a271d8b4020362c9  6.2/alpha/Zope-2.2.4-6.alpha.rpm
907bcbac56f1dde6c721790832c7922e  6.2/alpha/Zope-components-2.2.4-6.alpha.rpm
d0f965ede5461c89959b2a90c0e93b08  6.2/alpha/Zope-core-2.2.4-6.alpha.rpm
f3498e23a14f994cacfff7c0d8e65c4d  6.2/alpha/Zope-pcgi-2.2.4-6.alpha.rpm
c22de50c38a3b355393700569592fdc3  6.2/alpha/Zope-services-2.2.4-6.alpha.rpm
843260a32fca2a0cd1cc6dbcd50c8512  6.2/alpha/Zope-zpublisher-2.2.4-6.alpha.rpm
3955a934c2b99fad187956cc3ec94374  6.2/alpha/Zope-zserver-2.2.4-6.alpha.rpm
1a40476934178b01aae8dbe0b46bdfc2  6.2/alpha/Zope-ztemplates-2.2.4-6.alpha.rpm
129647a28cbeac9659a6717db03a0ef0  6.2/i386/Zope-2.2.4-6.i386.rpm
35f30fe3d68b43849edb63ae3b77136f  6.2/i386/Zope-components-2.2.4-6.i386.rpm
4bc74e05ed6f53d26cc94b5d006f4756  6.2/i386/Zope-core-2.2.4-6.i386.rpm
af0e5b0a225870dfc2d7dba1027b34e4  6.2/i386/Zope-pcgi-2.2.4-6.i386.rpm
9a29e9b14cee9c4d44b2c196a64a9f04  6.2/i386/Zope-services-2.2.4-6.i386.rpm
f80f0588b445a4f79f8266ca89141826  6.2/i386/Zope-zpublisher-2.2.4-6.i386.rpm
b2b5f957de787293361cd737811ae773  6.2/i386/Zope-zserver-2.2.4-6.i386.rpm
5bf7b8c372cc6692e48fe767e4a575a0  6.2/i386/Zope-ztemplates-2.2.4-6.i386.rpm
9cd609052adfa6776e211c460dc21f7d  6.2/sparc/Zope-2.2.4-6.sparc.rpm
485315f636e8f8fc9b7578f45395854c  6.2/sparc/Zope-components-2.2.4-6.sparc.rpm
d430518810cc99f671dca3c2a0da5962  6.2/sparc/Zope-core-2.2.4-6.sparc.rpm
18fe9ab287a933d2667738f60c7b3906  6.2/sparc/Zope-pcgi-2.2.4-6.sparc.rpm
2c19519b8b79a53c616a872376f03052  6.2/sparc/Zope-services-2.2.4-6.sparc.rpm
4e539977de9266832b27304a806a6c6a  6.2/sparc/Zope-zpublisher-2.2.4-6.sparc.rpm
3a7862b5756a7244646b9003e293b46e  6.2/sparc/Zope-zserver-2.2.4-6.sparc.rpm
26c1116758fd7503932ae433e90d5eda  6.2/sparc/Zope-ztemplates-2.2.4-6.sparc.rpm
bf725481032bb7274d43214313dd5faa  7.0/SRPMS/Zope-2.2.4-7.src.rpm
ac9263e51ae7363f87094600310d8361  7.0/alpha/Zope-2.2.4-7.alpha.rpm
f35516df480cc1d69c2c32909d98c3d0  7.0/alpha/Zope-components-2.2.4-7.alpha.rpm
7208182e7aa101adc2422ef88aed16b9  7.0/alpha/Zope-core-2.2.4-7.alpha.rpm
3d1c823fc95ad40a5896636b65db85dc  7.0/alpha/Zope-pcgi-2.2.4-7.alpha.rpm
4bb7097532b82a2a19d8589c2bda25ba  7.0/alpha/Zope-services-2.2.4-7.alpha.rpm
084fc2a9557ae11d1c791ac2afd56b1e  7.0/alpha/Zope-zpublisher-2.2.4-7.alpha.rpm
e7556ec91a966e911355905f328623ef  7.0/alpha/Zope-zserver-2.2.4-7.alpha.rpm
d4ca57128f0e7d853e611e988cf0a842  7.0/alpha/Zope-ztemplates-2.2.4-7.alpha.rpm
75a7a5006bf795de4fd11ecf1fc7b7fa  7.0/i386/Zope-2.2.4-7.i386.rpm
74c87a18942602b2075ed3e948a17360  7.0/i386/Zope-components-2.2.4-7.i386.rpm
b06820fd06b0b1c062efc73657ef72bb  7.0/i386/Zope-core-2.2.4-7.i386.rpm
2ab9d8cd4946c89dddc705f2fd1a5df6  7.0/i386/Zope-pcgi-2.2.4-7.i386.rpm
d378aba6b5ccd95813252c734960688f  7.0/i386/Zope-services-2.2.4-7.i386.rpm
3d1ad4cd23e722b2d32d732e604e6e1a  7.0/i386/Zope-zpublisher-2.2.4-7.i386.rpm
cc478476f6bd734dc4981cf42914ada6  7.0/i386/Zope-zserver-2.2.4-7.i386.rpm
bb2bef1616e9eb3693c86cf0564bc140  7.0/i386/Zope-ztemplates-2.2.4-7.i386.rpm

These packages are GPG signed by Red Hat, Inc. for security.  Our key
is available at:

You can verify each package with the following command:
    rpm --checksig  

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
    rpm --checksig --nogpg 

8. References:

Copyright(c) 2000, 2001 Red Hat, Inc.

» Read more about: Story Type: Security; Groups: Red Hat

« Return to the newswire homepage

This topic does not have any threads posted yet!

You cannot post until you login.