blob: 996f84d659d3998bd545588d73cddc8945bbf99f [file] [log] [blame]
<?xml version="1.0" encoding="utf-8"?>
<glsa id="200510-20">
<title>Zope: File inclusion through RestructuredText</title>
Zope is vulnerable to a file inclusion vulnerability when exposing
RestructuredText functionalities to untrusted users.
<product type="ebuild">Zope</product>
<announced>October 25, 2005</announced>
<revised>May 22, 2006: 02</revised>
<package name="net-zope/zope" auto="yes" arch="*">
<unaffected range="ge">2.7.8</unaffected>
<vulnerable range="lt">2.7.8</vulnerable>
<vulnerable range="eq">2.8.0</vulnerable>
<vulnerable range="eq">2.8.1</vulnerable>
Zope is an application server that can be used to build content
management systems, intranets, portals or other custom applications.
Zope honors file inclusion directives in RestructuredText objects by
<impact type="normal">
An attacker could exploit the vulnerability by sending malicious input
that would be interpreted in a RestructuredText Zope object,
potentially resulting in the execution of arbitrary Zope code with the
rights of the Zope server.
There is no known workaround at this time.
All Zope users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose net-zope/zope</code>
<uri link="">Zope Hotfix 2005-10-09 Alert</uri>
<uri link="">CVE-2005-3323</uri>
<metadata tag="requester" timestamp="Thu, 20 Oct 2005 15:36:29 +0000">
<metadata tag="bugReady" timestamp="Sun, 23 Oct 2005 15:31:35 +0000">
<metadata tag="submitter" timestamp="Sun, 23 Oct 2005 16:31:59 +0000">