From 078daae9a18aa68c170faf70d6c6202046d327fb Mon Sep 17 00:00:00 2001 From: brad Date: Sun, 29 Sep 2002 06:02:18 +0000 Subject: [PATCH] SECURITY: add 2002-06-14 hotfix The issue involves the security of the indexes of ZCatalog objects. A flaw in the security settings of ZCatalog allows anonymous users to call arbitrary methods of catalog indexes. The vulnerability also allows untrusted code to do the same. -- From: MAINTAINER --- www/zope/Makefile | 16 ++++++++++++++-- www/zope/distinfo | 15 +++++++++------ www/zope/pkg/PLIST | 5 ++++- 3 files changed, 27 insertions(+), 9 deletions(-) diff --git a/www/zope/Makefile b/www/zope/Makefile index 72417036bdb..7f5d2e4655c 100644 --- a/www/zope/Makefile +++ b/www/zope/Makefile @@ -1,9 +1,9 @@ -# $OpenBSD: Makefile,v 1.13 2002/07/09 12:32:34 matt Exp $ +# $OpenBSD: Makefile,v 1.14 2002/09/29 06:02:18 brad Exp $ COMMENT= "object-oriented web application server" VERSION= 2.5.1 -PORT_VERSION= ${VERSION} +PORT_VERSION= ${VERSION}p1 DISTNAME= Zope-${VERSION}-src PKGNAME= zope-${PORT_VERSION} @@ -23,10 +23,18 @@ MASTER_SITES= http://www.zope.org/Products/Zope/${VERSION}/ EXTRACT_SUFX= .tgz EXTRACT_CASES= *.tgz) gtar zxf ${FULLDISTDIR}/$$archive ;; +DIST_SUBDIR= zope + MASTER_SITES0= http://www.zope.org/Members/zigg/UnixSecurityPatch/ PATCHFILES= Zope-${VERSION}-unix-security.patch:0 PATCH_DIST_STRIP=-p1 +HOTFIX_DATE1= 2002-06-14 +MASTER_SITES1= http://www.zope.org/Products/Zope/Hotfix_${HOTFIX_DATE1}/ + +DISTFILES= ${DISTNAME}${EXTRACT_SUFX} \ + Hotfix_${HOTFIX_DATE1}.tgz:1 + BUILD_DEPENDS= :python->=2.1.2,<2.2:lang/python/2.1 \ :gtar-*:archivers/gtar RUN_DEPENDS= :python->=2.1.2,<2.2:lang/python/2.1 @@ -78,6 +86,10 @@ do-install: ${PREFIX}/share/doc/zope/changenotes echo "Zope ${VERSION} (OpenBSD package zope-${PORT_VERSION})" \ > ${PREFIX}/lib/zope/lib/python/version.txt + ${INSTALL_DATA_DIR} ${PRODUCTSDIR}/Hotfix_${HOTFIX_DATE1} + ${INSTALL_DATA} \ + ${WRKDIR}/lib/python/Products/Hotfix_${HOTFIX_DATE1}/* \ + ${PRODUCTSDIR}/Hotfix_${HOTFIX_DATE1} do-regress: cd ${WRKSRC} && ${LOCALBASE}/bin/python2.1 utilities/testrunner.py -a diff --git a/www/zope/distinfo b/www/zope/distinfo index ebf956ac32f..92f9bb1bff3 100644 --- a/www/zope/distinfo +++ b/www/zope/distinfo @@ -1,6 +1,9 @@ -MD5 (Zope-2.5.1-src.tgz) = 65d502b2acf986693576decad6b837cf -MD5 (Zope-2.5.1-unix-security.patch) = 89324efb7f2f8846b2a05170c8c7a0e7 -RMD160 (Zope-2.5.1-src.tgz) = 3835ad67b93184416b2ff090642948fb11686c39 -RMD160 (Zope-2.5.1-unix-security.patch) = 6ee8fd7335d7b0d927327065966e930939b143fd -SHA1 (Zope-2.5.1-src.tgz) = 6ef5ac94270a61541c4ca5da866e60395823658a -SHA1 (Zope-2.5.1-unix-security.patch) = 4eb470c3a006b0ee76348712a19d0adc713dcc69 +MD5 (zope/Hotfix_2002-06-14.tgz) = 2897d702575070bbe0430e00f29a83ff +MD5 (zope/Zope-2.5.1-src.tgz) = 65d502b2acf986693576decad6b837cf +MD5 (zope/Zope-2.5.1-unix-security.patch) = 89324efb7f2f8846b2a05170c8c7a0e7 +RMD160 (zope/Hotfix_2002-06-14.tgz) = 51f5990a7018de88ada40f25b130ff88b05222e4 +RMD160 (zope/Zope-2.5.1-src.tgz) = 3835ad67b93184416b2ff090642948fb11686c39 +RMD160 (zope/Zope-2.5.1-unix-security.patch) = 6ee8fd7335d7b0d927327065966e930939b143fd +SHA1 (zope/Hotfix_2002-06-14.tgz) = 9559701aa15512dcb890f2760b198693825b9587 +SHA1 (zope/Zope-2.5.1-src.tgz) = 6ef5ac94270a61541c4ca5da866e60395823658a +SHA1 (zope/Zope-2.5.1-unix-security.patch) = 4eb470c3a006b0ee76348712a19d0adc713dcc69 diff --git a/www/zope/pkg/PLIST b/www/zope/pkg/PLIST index 49ff7ce7fa7..537d4e824f2 100644 --- a/www/zope/pkg/PLIST +++ b/www/zope/pkg/PLIST @@ -1,4 +1,4 @@ -@comment $OpenBSD: PLIST,v 1.8 2002/04/25 15:38:55 matt Exp $ +@comment $OpenBSD: PLIST,v 1.9 2002/09/29 06:02:19 brad Exp $ bin/zope-instance lib/zope/Extensions/README.txt lib/zope/ZServer/DebugLogger.py @@ -905,6 +905,8 @@ lib/zope/lib/python/Products/ExternalMethod/tests/__init__.py lib/zope/lib/python/Products/ExternalMethod/tests/testExternalMethod.py lib/zope/lib/python/Products/ExternalMethod/version.txt lib/zope/lib/python/Products/ExternalMethod/www/function.gif +lib/zope/lib/python/Products/Hotfix_2002-06-14/README.txt +lib/zope/lib/python/Products/Hotfix_2002-06-14/__init__.py lib/zope/lib/python/Products/MIMETools/MIMETag.py lib/zope/lib/python/Products/MIMETools/MIMETag.pyc lib/zope/lib/python/Products/MIMETools/MIMETag.pyo @@ -2850,6 +2852,7 @@ share/doc/zope/changenotes/010620-2.4-btreeconflict.stx @dirrm lib/zope/lib/python/Products/MailHost/dtml @dirrm lib/zope/lib/python/Products/MailHost @dirrm lib/zope/lib/python/Products/MIMETools +@dirrm lib/zope/lib/python/Products/Hotfix_2002-06-14 @dirrm lib/zope/lib/python/Products/ExternalMethod/www @dirrm lib/zope/lib/python/Products/ExternalMethod/tests/Extensions @dirrm lib/zope/lib/python/Products/ExternalMethod/tests