Home page logo

oss-sec logo oss-sec mailing list archives

Re: CVE-2011-4924 assignment notification -- Zope2, Zope3: Incomplete upstream fix for CVE-2010-1104 issue
From: Jan-Wijbrand Kolman <janwijbrand () gmail com>
Date: Thu, 19 Jan 2012 14:02:10 +0100


On Thu, Jan 19, 2012 at 1:51 PM, Jan Lieskovsky <jlieskov () redhat com> wrote:
On 01/19/2012 01:42 PM, Yves-Alexis Perez wrote:
Does this mean CVE-2010-1104 applies to Zope3 too, or the fix for this
CVE created CVE-2011-4924?

The former. The CVE-2010-1104 issue was applicable to Zope3 too (just wasn't
described in the description). The reason probably being the CVE-2010-1104
to had been reported against Zope2 version only (according to particular
LaunchPad bug).

Zope2 patch for CVE-2010-1104 was incomplete (still allowing XSS). Not sure,
if there was some Zope3 patch for CVE-2010-1104 applied.

Jan-Wijbrand Kolman could you clarify and help us to understand original
CVE-2010-1104 situation in Zope3?

To my knowledge there was no patch applied to Zope 3 for
CVE-2010-1104. Mind you though: I only think so because I could not
find evidence of changes in zope.error related to this issue from
before the zope.error 3.7.3 release.

regards, jw
Jan-Wijbrand Kolman
janwijbrand () gmail com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]