oss-sec mailing list archives

Re: CVE-2011-4924 assignment notification -- Zope2, Zope3: Incomplete upstream fix for CVE-2010-1104 issue

From: Jan-Wijbrand Kolman <janwijbrand () gmail com>
Date: Thu, 19 Jan 2012 14:02:10 +0100

Hello,

On Thu, Jan 19, 2012 at 1:51 PM, Jan Lieskovsky <jlieskov () redhat com> wrote:

On 01/19/2012 01:42 PM, Yves-Alexis Perez wrote:

Does this mean CVE-2010-1104 applies to Zope3 too, or the fix for this
CVE created CVE-2011-4924?


The former. The CVE-2010-1104 issue was applicable to Zope3 too (just wasn't
described in the description). The reason probably being the CVE-2010-1104
to had been reported against Zope2 version only (according to particular
LaunchPad bug).

Zope2 patch for CVE-2010-1104 was incomplete (still allowing XSS). Not sure,
if there was some Zope3 patch for CVE-2010-1104 applied.

Jan-Wijbrand Kolman could you clarify and help us to understand original
CVE-2010-1104 situation in Zope3?


To my knowledge there was no patch applied to Zope 3 for
CVE-2010-1104. Mind you though: I only think so because I could not
find evidence of changes in zope.error related to this issue from
before the zope.error 3.7.3 release.

regards, jw
-- 
Jan-Wijbrand Kolman
janwijbrand () gmail com

Current thread:

CVE-2011-4924 assignment notification -- Zope2, Zope3: Incomplete upstream fix for CVE-2010-1104 issue Jan Lieskovsky (Jan 19)
- Re: CVE-2011-4924 assignment notification -- Zope2, Zope3: Incomplete upstream fix for CVE-2010-1104 issue Yves-Alexis Perez (Jan 19)
  - Re: CVE-2011-4924 assignment notification -- Zope2, Zope3: Incomplete upstream fix for CVE-2010-1104 issue Jan Lieskovsky (Jan 19)
    - Re: CVE-2011-4924 assignment notification -- Zope2, Zope3: Incomplete upstream fix for CVE-2010-1104 issue Jan-Wijbrand Kolman (Jan 19)