On Sun, Nov 25, 2012 at 11:07:38AM +0900, Arnaud Fontaine wrote: > Hello, > > Luciano Bello <luci...@debian.org> writes: > > > Hi, please see : http://seclists.org/oss-sec/2012/q4/249 > > > > Can you confirm if any of the Debian packages are affected? > > As far as I could find (not clear in the upstream changelog): > > version 2.12.26: > * LP #1071067 fixes CVE 2012-5507, CVE 2012-5508. > * LP #930812 fixes CVE 2012-5486. > > version 2.12.21: > * LP #1079238 fixes CVE 2012-5489. > > According to the upstream changelog, LP #1047318 seems to fix a security > bug, but I could not find it in zope2 launchpad nor anywhere else. > > The following CVEs are not affecting Zope2 package (Plone/Zope3/..) > (within brackets is the Product/module/... affected along with the > corresponding filename in Plone Hotfix):
For clarification, so that I can update the Debian Security Tracker, none of these CVE IDs are packaged in Debian, right? (I can't find a Plone package, but these could be packaged through one of the many zope.* packages?) > * CVE-2012-5485 (Plone: registerConfiglet.py) > http://plone.org/products/plone/security/advisories/20121106/01 > > * CVE-2012-5488/CVE-2012-5494/CVE-2012-5495/CVE-2012-5499/CVE-2012-5506 > (Plone-specific: python_scripts.py) > http://plone.org/products/plone/security/advisories/20121106/04 > http://plone.org/products/plone/security/advisories/20121106/10 > http://plone.org/products/plone/security/advisories/20121106/11 > http://plone.org/products/plone/security/advisories/20121106/15 > http://plone.org/products/plone/security/advisories/20121106/22 > > * CVE-2012-5490 (kss: kssdevel.py) > http://plone.org/products/plone/security/advisories/20121106/06 > > * CVE-2012-5491/CVE-2012-5504 (z3c.form (Zope3): widget_traversal.py) > http://plone.org/products/plone/security/advisories/20121106/12 > http://plone.org/products/plone/security/advisories/20121106/20 > > * CVE-2012-5492 (Plone: uid_catalog.py) > http://plone.org/products/plone/security/advisories/20121106/08 > > * CVE-2012-5493 (CMFCore: gtbn.py) > http://plone.org/products/plone/security/advisories/20121106/09 > > * CVE-2012-5496 (Plone: kupu_spellcheck.py) > http://plone.org/products/plone/security/advisories/20121106/09 > > * CVE-2012-5497 (Plone: membership_tool.py) > http://plone.org/products/plone/security/advisories/20121106/13 > > * CVE-2012-5498 (Plone: queryCatalog.py) > http://plone.org/products/plone/security/advisories/20121106/14 > > * CVE-2012-5500 (Plone: renameObjectsByPaths.py) > http://plone.org/products/plone/security/advisories/20121106/15 > > * CVE-2012-5501 (Plone: at_download.py) > http://plone.org/products/plone/security/advisories/20121106/17 > > * CVE-2012-5502 (PortalTransforms: safe_html.py) > http://plone.org/products/plone/security/advisories/20121106/18 > > * CVE-2012-5503 (Plone-specific: ObjectManager: ftp.py) > http://plone.org/products/plone/security/advisories/20121106/19 Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
