From yasi at yasi.to  Mon Dec 11 15:20:35 2006
From: yasi at yasi.to (HAYASHI Yasushi)
Date: Mon Dec 11 15:20:39 2006
Subject: zope -- restructuredText "csv_table" Information Disclosure
Message-ID: <dcf270660612111519t33aed8egddd454d40bc94add@mail.gmail.com>

On 10/19/06, Andrew Pntyukhim wrote:
> The vulnerability has been confirmed in these versions,
> but as far as we know there are no versions confirmed
> to be safe yet. To be on the safe side we never put an
> upper limit on version numbers until we know it for
> sure.

Please add upper limit to vid="65a8f773-4a37-11db-a4cc-000a48049292".
There are two reasons.

(1)  I sent PRs for this vulnerability
  This will update www/zope to zope-2.7.9_1 and www/zope28 to zope-2.8.8_1.
  See:
    http://www.freebsd.org/cgi/query-pr.cgi?pr=106505
    http://www.freebsd.org/cgi/query-pr.cgi?pr=106508

(2)  IT points TOO wide range
  Current range causes for www/zope3 which does not have this vulnerable.

> > vxquery -t text /usr/ports/security/vuxml/vuln.xml zope-3.3.0
> Topic: zope -- restructuredText "csv_table" Information Disclosure
> Affects:
>     0 <= zope
> References:
>     bid:20022
>     cvename:CVE-2006-4684
>     url:http://secunia.com/advisories/21947/
>     url:http://www.zope.org/Products/Zope/Hotfix-2006-08-21/Hotfix-20060821/READ
ME.txt
> <URL:http://vuxml.freebsd.org/65a8f773-4a37-11db-a4cc-000a48049292.html>
>
> >

> www# pwd
> /usr/ports/www/zope3
> www# make fetch
> ===>  zope-3.3.0 has known vulnerabilities:
> => zope -- restructuredText "csv_table" Information Disclosure.
>    Reference: <http://www.FreeBSD.org/ports/portaudit/65a8f773-4a37-11db-a4cc-00
0a48049292.html>
> => Please update your ports tree and try again.
> *** Error code 1
>
> Stop in /usr/ports/www/zope3.
> www#


Thank you for reading.

-- 
----+----1----+----2----+----3----+----4----+----5----+----6----+----7--
HAYASHI Yasushi  <yasi@yasi.to>
http://www.yasi.to/blog