Discussion:
Bug#450767: security update to zope-cmfplone_2.5.1-4etch1 brakes plone product
Gerrit Jan Baarda
2007-11-10 10:02:10 UTC
Permalink
Package: zope-cmfplone
Version: 2.5.1-4etch1
Severity: grave
Tags: security
Justification: causes non-serious data loss

After upgrding to 2.5.1-4etch1 all my plone instaces are borken. I had to revert to the previuos version, thus preventing a security update.

I have included the event log during startup.


-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-5-686
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages zope-cmfplone depends on:
ii python-imaging 1.1.5-11 Python Imaging Library
ii zope-archetypes 1.4.1-1 framework for developing and deplo
ii zope-atcontenttypes 1.1.3-1 archetypes-based replacement for P
ii zope-atrbw 1.5-1 reference widget add-on to zope ar
ii zope-btreefolder2 1.0.2-3 zope folder that can efficiently c
ii zope-cmf1.6 1.6.2-1 zope content management framework
ii zope-cmfactionicons1.6 1.6.2-1 actions and icons add-on for zope
ii zope-cmfcalendar1.6 1.6.2-1 zope cmf calendar, 1.6 branch
ii zope-cmfcore1.6 1.6.2-1 zope cmf core services, 1.6 branch
ii zope-cmfdefault1.6 1.6.2-1 zope cmf default (basic) content,
ii zope-cmfdynamicviewfti 2.1-1 dynamic views add-on for CMF
ii zope-cmfformcontroller 2.0.5-1 zope form validation for cmf and p
ii zope-cmfplacefulworkflow 1.0.2-1 placeful workflow based on CMF for
ii zope-cmfquickinstallertool 1.5.9-1 zope add-on to easy install cmf/pl
ii zope-cmftopic1.6 1.6.2-1 zope cmf topic, 1.6 branch
ii zope-common 0.5.31 common settings and scripts for zo
ii zope-dcworkflow1.6 1.6.2-1 fully customizable workflow for cm
ii zope-extendedpathindex 2.4-1 index implementation with advanced
ii zope-externaleditor 0.9.2-2 Zope External Editor
ii zope-genericsetup 1.6.2-1 mini-framework for filesystem-base
ii zope-groupuserfolder 3.54-1 zope add-on that provides user fla
ii zope-kupu 1.3.8-1 cross-browser document-centric WYS
ii zope-pas 1.4-1 fully-pluggable user folder for Zo
ii zope-passwordresettool 0.4.1-1 password reset tool for Plone
ii zope-ploneerrorreporting 1.0-1 error reporting tool for plone 2.0
ii zope-plonelanguagetool 1.4-1 language manager and handler for p
ii zope-plonepas 2.1-1 PluggableAuthService adapter for P
ii zope-plonetranslations 2.6.0-1 translation files for plone 2.5
ii zope-pluginregistry 1.1.1-1 generalized tool for registering p
ii zope-pts 1.3.3-1 placeless translation service for
ii zope-resourceregistries 1.3.2-1 zope registry for linked styleshee
ii zope-securemailhost 1.0.4-2 secure MailHost reimplementation f
ii zope-statusmessages 2.0.1-1 status messages handler for Zope a
ii zope2.9 2.9.6-4etch1 Open Source Web Application Server

Versions of packages zope-cmfplone recommends:
ii zope-cachefu 1.0.1-3 suite of Zope products for speedin
ii zope-linguaplone 0.9.final-1 multilingual and translation solut

-- no debconf information
Thijs Kinkhorst
2007-11-10 12:50:13 UTC
Permalink
Hi Fabio,
Post by Gerrit Jan Baarda
Package: zope-cmfplone
Version: 2.5.1-4etch1
Severity: grave
Tags: security
Justification: causes non-serious data loss
After upgrding to 2.5.1-4etch1 all my plone instaces are borken. I had to
revert to the previuos version, thus preventing a security update.
I have included the event log during startup.
I've received a different report about this aswell. Can you investigate
please?


thanks,
Thijs
Fabio Tranchitella
2007-11-10 13:00:46 UTC
Permalink
Hi Thijs,
Post by Thijs Kinkhorst
I've received a different report about this aswell. Can you investigate
please?
I'm working on this... I tested the package in my test environment and it
worked, but trying it in a new instance triggers the issue.

My fault, I'm fixing the package, sorry. :-(

Best regards,
--
Fabio Tranchitella http://www.kobold.it
Free Software Developer and Consultant http://www.tranchitella.it
_____________________________________________________________________
1024D/7F961564, fpr 5465 6E69 E559 6466 BF3D 9F01 2BF8 EE2B 7F96 1564
Fabio Tranchitella
2007-11-10 13:27:49 UTC
Permalink
Hi Thijs,
Post by Thijs Kinkhorst
I've received a different report about this aswell. Can you investigate
please?
Here we are, this is the fixed package. My fault: I tested the unstable
package in my etch environment and it worked (it's architecture-all, so no
strange dependencies on it).

I've tested it with a plain new installation and it works.

http://tranchitella.it/~kobold/zope-cmfplone-CVE-2007-5741/zope-cmfplone_2.5.1-4etch2_amd64.changes

Sorry for the trouble,
--
Fabio Tranchitella http://www.kobold.it
Free Software Developer and Consultant http://www.tranchitella.it
_____________________________________________________________________
1024D/7F961564, fpr 5465 6E69 E559 6466 BF3D 9F01 2BF8 EE2B 7F96 1564
Bernd Zeimetz
2007-11-10 15:41:41 UTC
Permalink
Post by Fabio Tranchitella
I've tested it with a plain new installation and it works.
http://tranchitella.it/~kobold/zope-cmfplone-CVE-2007-5741/zope-cmfplone_2.5.1-4etch2_amd64.changes
Sorry for the trouble,
I just gave it a try and can confirm that it works.
--
Bernd Zeimetz
<***@bzed.de> <http://bzed.de/>
Thijs Kinkhorst
2007-11-10 20:27:17 UTC
Permalink
Post by Fabio Tranchitella
Hi Thijs,
Post by Thijs Kinkhorst
I've received a different report about this aswell. Can you investigate
please?
Here we are, this is the fixed package. My fault: I tested the unstable
package in my etch environment and it worked (it's architecture-all, so no
strange dependencies on it).
I've tested it with a plain new installation and it works.
Great, thanks for the quick response.

It still contained your unnecessary fix for RegistrationTool.py, so I reverted
that and uploaded the package. An updated advisory will hopefully be released
soon.


Thijs
Debian Bug Tracking System
2007-12-18 10:15:07 UTC
Permalink
Your message dated Tue, 18 Dec 2007 11:01:51 +0100
with message-id <***@mail.26dimensions.com>
and subject line Fixed
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

Continue reading on narkive:
Loading...