Bug 198106 - CVE-2006-3458: Zope local information disclosure
CVE-2006-3458: Zope local information disclosure
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: zope (Show other bugs)
5
All Linux
medium Severity medium
: ---
: ---
Assigned To: Jonathan Steffan
Fedora Extras Quality Assurance
http://www.zope.org/Products/Zope/Hot...
: Reopened, Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-07-09 14:50 EDT by Ville Skyttä
Modified: 2007-11-30 17:11 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-11-22 19:53:32 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ville Skyttä 2006-07-09 14:50:45 EDT
Unspecified vulnerability in Zope 2.7.0 to 2.7.8, 2.8.0 to 2.8.7, and 2.9.0 to
2.9.3 (Zope2) allows local users to obtain sensitive information via unknown
attack vectors related to the docutils module and "restructured text".

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-3458
http://www.zope.org/Products/Zope/Hotfix-2006-07-05/Hotfix-20060705/README.txt

Based on the version numbers, all FC-3+ appear to be vulnerable.
Comment 1 Aurelien Bompard 2006-07-12 07:08:29 EDT
Hotfix added and published from FC-3 to rawhide, thanks
Comment 2 Ville Skyttä 2006-09-26 14:22:14 EDT
Looks like some additional closely related issues were found after the
2006-07-05 hotfix, FE-3 and FE-4 seem affected:

http://www.vuxml.org/freebsd/65a8f773-4a37-11db-a4cc-000a48049292.html
http://www.zope.org/Products/Zope/Hotfix-2006-08-21/Hotfix-20060821/README.txt
Comment 3 Aurelien Bompard 2006-09-28 13:12:54 EDT
I have no FC3 or FC4 box available, so I can't test it.
On top of that, FC4 is not supported anymore, so I guess it's more of a job for
Legacy.
Comment 4 Jason Tibbitts 2006-09-28 15:52:48 EDT
Why would this be a job for Legacy?  They've never handled Extras packages, nor
do they intend to.
Comment 5 Aurelien Bompard 2006-09-28 16:28:38 EDT
I thought this has been discussed at some point.
OK, I'm willing to add the hotfix, but someone needs to test the package on
those distros
Comment 6 Jonathan Steffan 2006-11-22 19:53:32 EST
Hot has been applied for some time. Closing bug.
Comment 7 Ville Skyttä 2006-11-23 11:30:50 EST
FWIW, it doesn't seem to me that zope in FE-3 and FE-4 would have been fixed. 
See comment 2.
Comment 8 Jonathan Steffan 2006-11-23 16:00:28 EST
Hotfix 20060821 applied.

Note You need to log in before you can comment on or make changes to this bug.