Discussion:
Bug#450767: security update to zope-cmfplone_2.5.1-4etch1 brakes plone product
(too old to reply)
Gerrit Jan Baarda
2007-11-10 10:02:10 UTC
Permalink
Package: zope-cmfplone
Version: 2.5.1-4etch1
Severity: grave
Tags: security
Justification: causes non-serious data loss

After upgrding to 2.5.1-4etch1 all my plone instaces are borken. I had to revert to the previuos version, thus preventing a security update.

I have included the event log during startup.


-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-5-686
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages zope-cmfplone depends on:
ii python-imaging 1.1.5-11 Python Imaging Library
ii zope-archetypes 1.4.1-1 framework for developing and deplo
ii zope-atcontenttypes 1.1.3-1 archetypes-based replacement for P
ii zope-atrbw 1.5-1 reference widget add-on to zope ar
ii zope-btreefolder2 1.0.2-3 zope folder that can efficiently c
ii zope-cmf1.6 1.6.2-1 zope content management framework
ii zope-cmfactionicons1.6 1.6.2-1 actions and icons add-on for zope
ii zope-cmfcalendar1.6 1.6.2-1 zope cmf calendar, 1.6 branch
ii zope-cmfcore1.6 1.6.2-1 zope cmf core services, 1.6 branch
ii zope-cmfdefault1.6 1.6.2-1 zope cmf default (basic) content,
ii zope-cmfdynamicviewfti 2.1-1 dynamic views add-on for CMF
ii zope-cmfformcontroller 2.0.5-1 zope form validation for cmf and p
ii zope-cmfplacefulworkflow 1.0.2-1 placeful workflow based on CMF for
ii zope-cmfquickinstallertool 1.5.9-1 zope add-on to easy install cmf/pl
ii zope-cmftopic1.6 1.6.2-1 zope cmf topic, 1.6 branch
ii zope-common 0.5.31 common settings and scripts for zo
ii zope-dcworkflow1.6 1.6.2-1 fully customizable workflow for cm
ii zope-extendedpathindex 2.4-1 index implementation with advanced
ii zope-externaleditor 0.9.2-2 Zope External Editor
ii zope-genericsetup 1.6.2-1 mini-framework for filesystem-base
ii zope-groupuserfolder 3.54-1 zope add-on that provides user fla
ii zope-kupu 1.3.8-1 cross-browser document-centric WYS
ii zope-pas 1.4-1 fully-pluggable user folder for Zo
ii zope-passwordresettool 0.4.1-1 password reset tool for Plone
ii zope-ploneerrorreporting 1.0-1 error reporting tool for plone 2.0
ii zope-plonelanguagetool 1.4-1 language manager and handler for p
ii zope-plonepas 2.1-1 PluggableAuthService adapter for P
ii zope-plonetranslations 2.6.0-1 translation files for plone 2.5
ii zope-pluginregistry 1.1.1-1 generalized tool for registering p
ii zope-pts 1.3.3-1 placeless translation service for
ii zope-resourceregistries 1.3.2-1 zope registry for linked styleshee
ii zope-securemailhost 1.0.4-2 secure MailHost reimplementation f
ii zope-statusmessages 2.0.1-1 status messages handler for Zope a
ii zope2.9 2.9.6-4etch1 Open Source Web Application Server

Versions of packages zope-cmfplone recommends:
ii zope-cachefu 1.0.1-3 suite of Zope products for speedin
ii zope-linguaplone 0.9.final-1 multilingual and translation solut

-- no debconf information
Thijs Kinkhorst
2007-11-10 12:50:13 UTC
Permalink
Hi Fabio,
Post by Gerrit Jan Baarda
Package: zope-cmfplone
Version: 2.5.1-4etch1
Severity: grave
Tags: security
Justification: causes non-serious data loss
After upgrding to 2.5.1-4etch1 all my plone instaces are borken. I had to
revert to the previuos version, thus preventing a security update.
I have included the event log during startup.
I've received a different report about this aswell. Can you investigate
please?


thanks,
Thijs
Fabio Tranchitella
2007-11-10 13:00:46 UTC
Permalink
Hi Thijs,
Post by Thijs Kinkhorst
I've received a different report about this aswell. Can you investigate
please?
I'm working on this... I tested the package in my test environment and it
worked, but trying it in a new instance triggers the issue.

My fault, I'm fixing the package, sorry. :-(

Best regards,
--
Fabio Tranchitella http://www.kobold.it
Free Software Developer and Consultant http://www.tranchitella.it
_____________________________________________________________________
1024D/7F961564, fpr 5465 6E69 E559 6466 BF3D 9F01 2BF8 EE2B 7F96 1564
Fabio Tranchitella
2007-11-10 13:27:49 UTC
Permalink
Hi Thijs,
Post by Thijs Kinkhorst
I've received a different report about this aswell. Can you investigate
please?
Here we are, this is the fixed package. My fault: I tested the unstable
package in my etch environment and it worked (it's architecture-all, so no
strange dependencies on it).

I've tested it with a plain new installation and it works.

http://tranchitella.it/~kobold/zope-cmfplone-CVE-2007-5741/zope-cmfplone_2.5.1-4etch2_amd64.changes

Sorry for the trouble,
--
Fabio Tranchitella http://www.kobold.it
Free Software Developer and Consultant http://www.tranchitella.it
_____________________________________________________________________
1024D/7F961564, fpr 5465 6E69 E559 6466 BF3D 9F01 2BF8 EE2B 7F96 1564
Bernd Zeimetz
2007-11-10 15:41:41 UTC
Permalink
Post by Fabio Tranchitella
I've tested it with a plain new installation and it works.
http://tranchitella.it/~kobold/zope-cmfplone-CVE-2007-5741/zope-cmfplone_2.5.1-4etch2_amd64.changes
Sorry for the trouble,
I just gave it a try and can confirm that it works.
--
Bernd Zeimetz
<***@bzed.de> <http://bzed.de/>
Thijs Kinkhorst
2007-11-10 20:27:17 UTC
Permalink
Post by Fabio Tranchitella
Hi Thijs,
Post by Thijs Kinkhorst
I've received a different report about this aswell. Can you investigate
please?
Here we are, this is the fixed package. My fault: I tested the unstable
package in my etch environment and it worked (it's architecture-all, so no
strange dependencies on it).
I've tested it with a plain new installation and it works.
Great, thanks for the quick response.

It still contained your unnecessary fix for RegistrationTool.py, so I reverted
that and uploaded the package. An updated advisory will hopefully be released
soon.


Thijs

Continue reading on narkive:
Loading...