Debian Security Advisory

DSA-006-1 zope -- privilege escalation

Date Reported:

19 Dec 2000

Affected Packages:

zope

Vulnerable:

Yes

Security database references:

No other external database security references currently available.

More information:

Last week a Zope security advisory was released which indicated Erik Enge found a problem in the way Zope calculates roles. In some situations Zope checked the wrong folder hierarchy which could cause it to grant local roles when it should not. In other words: users with privileges in one folder could gain privileges in another folder.

This has been fixed in version 2.1.6-5.3 by including the 2000-12-15 hotfix, and we recommend that you upgrade your zope package immediately.

Fixed in:

Debian 2.2 (potato)

Source:: http://security.debian.org/dists/stable/updates/main/source/zope_2.1.6-5.3.diff.gz; http://security.debian.org/dists/stable/updates/main/source/zope_2.1.6-5.3.dsc; http://security.debian.org/dists/stable/updates/main/source/zope_2.1.6.orig.tar.gz
alpha:: http://security.debian.org/dists/stable/updates/main/binary-alpha/zope_2.1.6-5.3_alpha.deb
arm:: http://security.debian.org/dists/stable/updates/main/binary-arm/zope_2.1.6-5.3_arm.deb
i386:: http://security.debian.org/dists/stable/updates/main/binary-i386/zope_2.1.6-5.3_i386.deb
m68k:: http://security.debian.org/dists/stable/updates/main/binary-m68k/zope_2.1.6-5.3_m68k.deb
powerpc:: http://security.debian.org/dists/stable/updates/main/binary-powerpc/zope_2.1.6-5.3_powerpc.deb
sparc:: http://security.debian.org/dists/stable/updates/main/binary-sparc/zope_2.1.6-5.3_sparc.deb