Bug#692899: zope2.12: [CVE-2012-5485 to 5508] Multiple vectors corrected within 20121106 fix

Arnaud Fontaine arnau at debian.org
Thu Dec 6 01:26:43 UTC 2012 

Hi,

Moritz Muehlenhoff <jmm at debian.org> writes:

> On Sun, Nov 25, 2012 at 11:07:38AM +0900, Arnaud Fontaine wrote:
>> The following  CVEs are not affecting  Zope2 package (Plone/Zope3/..)
>> (within brackets  is the Product/module/...  affected  along with the
>> corresponding filename in Plone Hotfix):
>
> For clarification, so  that I can update the  Debian Security Tracker,
> none of these CVE IDs are packaged in Debian, right?
>
> (I can't find a Plone package, but these could be packaged through one
> of the many zope.* packages?)
>  
>> * CVE-2012-5485 (Plone: registerConfiglet.py)
>>   http://plone.org/products/plone/security/advisories/20121106/01
>> 
>> *
>> CVE-2012-5488/CVE-2012-5494/CVE-2012-5495/CVE-2012-5499/CVE-2012-5506
>>   (Plone-specific:                                 python_scripts.py)
>>   http://plone.org/products/plone/security/advisories/20121106/04
>>   http://plone.org/products/plone/security/advisories/20121106/10
>>   http://plone.org/products/plone/security/advisories/20121106/11
>>   http://plone.org/products/plone/security/advisories/20121106/15
>>   http://plone.org/products/plone/security/advisories/20121106/22
>> 
>> * CVE-2012-5490 (kss: kssdevel.py)
>>   http://plone.org/products/plone/security/advisories/20121106/06
>> 
>> * CVE-2012-5491/CVE-2012-5504 (z3c.form (Zope3): widget_traversal.py)
>>   http://plone.org/products/plone/security/advisories/20121106/12
>>   http://plone.org/products/plone/security/advisories/20121106/20
>> 
>> * CVE-2012-5492 (Plone: uid_catalog.py)
>>   http://plone.org/products/plone/security/advisories/20121106/08
>> 
>> * CVE-2012-5493 (CMFCore: gtbn.py)
>>   http://plone.org/products/plone/security/advisories/20121106/09
>> 
>> * CVE-2012-5496 (Plone: kupu_spellcheck.py)
>>   http://plone.org/products/plone/security/advisories/20121106/09
>> 
>> * CVE-2012-5497 (Plone: membership_tool.py)
>>   http://plone.org/products/plone/security/advisories/20121106/13
>> 
>> * CVE-2012-5498 (Plone: queryCatalog.py)
>>   http://plone.org/products/plone/security/advisories/20121106/14
>> 
>> * CVE-2012-5500 (Plone: renameObjectsByPaths.py)
>>   http://plone.org/products/plone/security/advisories/20121106/15
>> 
>> * CVE-2012-5501 (Plone: at_download.py)
>>   http://plone.org/products/plone/security/advisories/20121106/17
>> 
>> * CVE-2012-5502 (PortalTransforms: safe_html.py)
>>   http://plone.org/products/plone/security/advisories/20121106/18
>> 
>> * CVE-2012-5503 (Plone-specific: ObjectManager: ftp.py)
>>   http://plone.org/products/plone/security/advisories/20121106/19

None  of the  above CVE  IDs  are packaged  in  Debian as  Plone is  not
packaged in  Debian and the  other Products/modules are not  packaged in
Debian neither.

Cheers,
-- 
Arnaud Fontaine
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-zope-developers/attachments/20121206/4e28d461/attachment.pgp>

More information about the pkg-zope-developers mailing list