Debian Security Advisory
zope -- unauthorized escalation of privilege (update)
- Date Reported:
- 21 Aug 2000
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2000-0725.
- More information:
- On versions of Zope prior to 2.2.1 it was possible for a
user with the ability to edit DTML to gain unauthorized access to extra roles
during a request. A fix was previously announced in the Debian GNU/Linux zope package
2.1.6-5.1, but that package did not fully address the issue and has been
superseded by this announcement. More information is available at http://www.zope.org/Products/Zope/Hotfix_2000-08-17/security_alert.
Debian GNU/Linux 2.1 (slink) did not include zope, and is not vulnerable. Debian GNU/Linux 2.2 (potato) does include zope and is vulnerable to this issue. A fixed package for Debian GNU/Linux 2.2 (potato) is available in zope 2.1.6-5.2.
- Fixed in:
Debian GNU/Linux 2.2 (potato)