Zope security alert and 2.1.7 update [*important*]
Hello all, We have recently become aware of an important security issue that affects all released Zope versions including the recent 2.2 beta 1 release. The issue involves an inadequately protected method in one of the base classes in the DocumentTemplate package that could allow the contents of DTMLDocuments or DTMLMethods to be changed remotely or through DTML code without forcing proper user authorization. A Zope 2.1.7 release has been made that resolves this issue for Zope 2.1.x users. This release is available from Zope.org: http://www.zope.org/Products/Zope/2.1.7/ A patch is also available if it is not feasible to update your Zope installation at this time (the patch is based on 2.1.6): http://www.zope.org/Products/Zope/2.1.7/DT_String.diff If you are evaluating any of the recent 2.2 alpha or beta releases, you should apply the patch noted above if your site is accessible by untrusted clients. A forthcoming 2.2 beta 2 release will contain the fix for this issue. While we know of no instances of this issue being used to exploit a site, we *highly* recommend that any Zope site that is accessible by untrusted clients take the appropriate mitigation steps immediately. Brian Lloyd brian@digicool.com Software Engineer 540.371.6909 Digital Creations http://www.digicool.com
-----Original Message----- From: zope-admin@zope.org [mailto:zope-admin@zope.org]On Behalf Of Brian Lloyd Sent: Thursday, June 15, 2000 5:26 PM To: 'zope@zope.org'; 'zope-dev@zope.org'; 'zope-announce@zope.org' Subject: [Zope] Zope security alert and 2.1.7 update [*important*]
A Zope 2.1.7 release has been made that resolves this issue for Zope 2.1.x users. This release is available from Zope.org:
I assume based on the change log that this is the only fix in 2.1.7, correct? I fought for a full day to get my ZSQLMethods working in 2.1.6, but apparently the argument aquisition or something like that is still so broken that I had to jump back to 2.1.4. I applied the various unofficial "fixes" from the list archives (not all at the same time, of course) and none of them did the trick. I know others beat themselves up over this too. The problem I'm talking about is the one where the arguments to the sql method seem to be ignored. That is, if I have an argument 'order', and I have a DTML method (or any other "item") named 'order' in the same folder, <dtml-var order> in the sql method refers to the DTML method, not the argument. This breaks dozens of sql methods I have. With all of these security issues popping up, I don't like not being able to upgrade. Does anyone have a real fix for the ZSQLMethod problems in 2.1.6 that could be officially applied to the 2.1 series, or should I start using the 2.2 betas? Thanks! _______________________ Ron Bickers Logic Etc, Inc. rbickers@logicetc.com
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In article <NBBBLMKDDAEIBGKHFKKCAENMCLAA.rbickers@logicetc.com>, Ron Bickers <rbickers@logicetc.com> writes
I fought for a full day to get my ZSQLMethods working in 2.1.6, but apparently the argument aquisition or something like that is still so broken that I had to jump back to 2.1.4. I applied the various unofficial "fixes" from the list archives (not all at the same time, of course) and none of them did the trick. I know others beat themselves up over this too.
The problem I'm talking about is the one where the arguments to the sql method seem to be ignored. That is, if I have an argument 'order', and I have a DTML method (or any other "item") named 'order' in the same folder, <dtml-var order> in the sql method refers to the DTML method, not the argument. This breaks dozens of sql methods I have.
With all of these security issues popping up, I don't like not being able to upgrade. Does anyone have a real fix for the ZSQLMethod problems in 2.1.6 that could be officially applied to the 2.1 series, or should I start using the 2.2 betas?
May I second this! - -- Regards, Graham Chiu gchiu<at>compkarori.co.nz http://www.compkarori.co.nz/index.php Powered by Interbase and Zope 2.1.4 and not willing to run beta on production -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBOUjFD7TRdIWzaLpMEQK6+QCgijhq2oTAgjc72mYhLlC9m+cLJt4AoKkc qZyj4nVLszB1QoBUQuZibW9U =BDlD -----END PGP SIGNATURE-----
On Thu, Jun 15, 2000 at 07:42:04PM -0400, Ron Bickers wrote:
-----Original Message----- From: zope-admin@zope.org [mailto:zope-admin@zope.org]On Behalf Of Brian Lloyd Sent: Thursday, June 15, 2000 5:26 PM To: 'zope@zope.org'; 'zope-dev@zope.org'; 'zope-announce@zope.org' Subject: [Zope] Zope security alert and 2.1.7 update [*important*]
A Zope 2.1.7 release has been made that resolves this issue for Zope 2.1.x users. This release is available from Zope.org:
I assume based on the change log that this is the only fix in 2.1.7, correct?
Yes, this is the only fix (that I can verify, Brian has the final say(!)). Also, again as far as I can verify, the supplied patch can be applied to all Zope version 2.0.0b5 and up without problems. If you look at the patch you'll see it involves the adding of two lines, thus very easy to apply by hand if need be. -- Martijn Pieters | Software Engineer mailto:mj@digicool.com | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ | The Open Source Web Application Server ---------------------------------------------
I assume based on the change log that this is the only fix in 2.1.7, correct?
Yes, this is the only fix (that I can verify, Brian has the final say(!)).
Also, again as far as I can verify, the supplied patch can be applied to all Zope version 2.0.0b5 and up without problems. If you look at the patch you'll see it involves the adding of two lines, thus very easy to apply by hand if need be.
That will get me the fix for 2.1.7, but what about the 2 security fixes in 2.1.5 (which I believe is what broke it in the first place) and the numerous other bug fixes? I know I'm not the only one running 2.1.4 because of misbehaving ZSQLMethods in 2.1.5/6/7, and wondering when my site is going to be exploited because of the security issues. Broken or vulnerable seem to be my two choices. Not a very good selection. _______________________ Ron Bickers Logic Etc, Inc. rbickers@logicetc.com
On Fri, 16 Jun 2000, Ron Bickers wrote:
I know I'm not the only one running 2.1.4 because of misbehaving ZSQLMethods in 2.1.5/6/7, and wondering when my site is going to be exploited because of the security issues. Broken or vulnerable seem to be my two choices. Not a very good selection.
I run 2.1.4 too, and for the same reason - ZSQL and SiteAccess. I am afraid I couldn't upgrade to 2.1.5+ nor 2.2+ due to SiteAccess :( Oleg. (All opinions are mine and not of my employer) ---- Oleg Broytmann Foundation for Effective Policies phd@phd.russ.ru Programmers don't die, they just GOSUB without RETURN.
In article <Pine.LNX.4.21.0006160826370.15416-100000@fep132.fep.ru>, Oleg Broytmann <phd@phd.russ.ru> writes
I run 2.1.4 too, and for the same reason - ZSQL and SiteAccess. I am afraid I couldn't upgrade to 2.1.5+ nor 2.2+ due to SiteAccess :(
Is there a document that explains how to migrate ZSQL across the 2.1.4/2.1.6 boundary? -- Regards, Graham Chiu gchiu<at>compkarori.co.nz http://www.compkarori.co.nz/index.php Powered by Interbase and Zope
On Fri, 16 Jun 2000, Ron Bickers wrote:
I know I'm not the only one running 2.1.4 because of misbehaving ZSQLMethods in 2.1.5/6/7, and wondering when my site is going to be exploited because of the security issues. Broken or vulnerable seem to be my two choices. Not a very good selection.
I run 2.1.4 too, and for the same reason - ZSQL and SiteAccess. I am afraid I couldn't upgrade to 2.1.5+ nor 2.2+ due to SiteAccess :(
Hi All, I'm a Zope newbie.(have been following zope for nearly 1 year but used it very little) and now work for a ISP and we are going to start offering Zope Hosting, We currently run FreeBSD/Apache/MySQl I am just about to start playing with Zope 2.1.6 and MySQL but with all this talk what version of Zope should we run if we want to allow customers to use MySQL What sort of SQL problems will I have ? are the problems only with the SiteAccess products? Both me and the MD are very keen to offer Zope servers. We all ready offer a good service with Virtual IP hosting (it allows us to offer virtual telnet has well has web and ftp) and 100Mbps feed to the net (salesman speaking sorry :) ) But you can not sell a broken product (we are not M$) So what the best choice? Zope 2.1.4 and MySQL or Zope 2.1.7 and no MySQL? Any thoughts
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In article <00036a32b44872a1_mailit@mail-hub>, Stephen Cimarelli <scimarel@bigpond.net.au> writes
So what the best choice? Zope 2.1.4 and MySQL or Zope 2.1.7 and no MySQL?
It's all sql adapters not just MySQL. - -- Regards, Graham Chiu gchiu<at>compkarori.co.nz http://www.compkarori.co.nz/index.php Powered by Interbase and Zope -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBOUnXVrTRdIWzaLpMEQIwswCg+XeZmPZApA89bfALtDyJC3TYbcMAn1EB cyvDUt2qdUHhPFFQiCWjEhFe =U02/ -----END PGP SIGNATURE-----
Oleg Broytmann wrote:
I run 2.1.4 too, and for the same reason - ZSQL and SiteAccess. I am afraid I couldn't upgrade to 2.1.5+ nor 2.2+ due to SiteAccess :(
Oleg, I am using SiteAccess and 2.1.6 at iMeme, and they play fine together. SiteAccess is also tracking 2.2, if you take a look at it. ~ethan
On Wed, 21 Jun 2000, ethan mindlace fremen wrote:
Oleg Broytmann wrote:
I run 2.1.4 too, and for the same reason - ZSQL and SiteAccess. I am afraid I couldn't upgrade to 2.1.5+ nor 2.2+ due to SiteAccess :(
I am using SiteAccess and 2.1.6 at iMeme, and they play fine together.
This is one success story among millions failures. I certainly would not upgrade to 2.1.6.
SiteAccess is also tracking 2.2, if you take a look at it.
Yes, I saw the announcement and will try 2.0.0b2 later, when I'd try to upgrade to 2.2. Oleg. (All opinions are mine and not of my employer) ---- Oleg Broytmann Foundation for Effective Policies phd@phd.russ.ru Programmers don't die, they just GOSUB without RETURN.
Brian, from the announcement, it sounded like the only change from 2.1.6 to 2.1.7 was the fix to DT_String. Zope-2.1.7-src/doc/CHANGES.txt only lists: Bugs Fixed - An inadequately protected base class method made DTMLDocuments and DTMLMethods vulnerable to having their contents changed by unauthorized users. But when I diff 2.1.6 and 2.1.7, I get modifications in 29 files, ranging from MailHost to ZLogger and so on. I haven't yet groked the patches to 2.1.7 suggested by Adam, but some of them look like fixes to things that were broken from 2.1.6 to 2.1.7. Judging from the announcement, I would not have expected that 2.1.7 could break anything. Therefore a little plea: Please try to keep the CHANGES.txt accurate and comprehensive; that's most urgent for security releases like this IMHO: Most people will install them without much preparation. thanks, Gregor On Thu, Jun 15, 2000 at 05:26:18PM -0400, Brian Lloyd wrote:
A Zope 2.1.7 release has been made that resolves this issue for Zope 2.1.x users. This release is available from Zope.org:
http://www.zope.org/Products/Zope/2.1.7/
A patch is also available if it is not feasible to update your Zope installation at this time (the patch is based on 2.1.6):
participants (8)
-
Brian Lloyd -
ethan mindlace fremen -
Graham Chiu -
Gregor Hoffleit -
Martijn Pieters -
Oleg Broytmann -
Ron Bickers -
Stephen Cimarelli