ANNOUNCE: Zope 2.6.3 Release and Security Update
Brian Lloyd
brian@zope.com
Thu, 8 Jan 2004 20:19:12 -0500
Zope 2.6.3 Release and Security Update
Zope 2.6.3 contains a number of security related fixes for issues
resolved during a comprehensive security audit conducted in Q4
2003. You may download Zope 2.6.3 from Zope.org:
http://www.zope.org/Products/Zope/2.6.3/
**Users of the VerboseSecurity add-on product for Zope please note:** some
of
the security-related changes in Zope 2.6.3 are incompatible with the
VerboseSecurity
product. Please uninstall the VerboseSecurity product before upgrading to
2.6.3 to
avoid problems. It is expected that VerboseSecurity will be updated to be
compatible
with Zope 2.6.3 in the near future.
Also note that there are binary code changes in the 2.6.3 release, making
it impossible to issue an external "hotfix" to resolve these issues. CVS
users should be sure to update their sites **and rebuild the C Python
extensions** to ensure that all fixes are deployed.
In the fourth quarter of 2003, a comprehensive evaluation of the changes
to Python from version 2.1 to 2.3.3 was undertaken. This evaluation was
designed to assess each change to the Python environment in terms of its
potential impact on the Zope application server and Zope applications,
with the goal of making Python 2.3.3 the required Python platform for
Zope beginning with Zope 2.7.
The evaluation was focused on assessing changes to Python in the
following contexts:
- Changes that would have compatibility or other effects on existing
or new Zope applications
- Changes that could potentially affect the Zope security architecture
or change the behavior of the restricted execution environment used
by Zope to run untrusted code
In the course of the evaluation, very few of the Python changes in 2.3.3
directly affected the Zope security architecture or had impacts on the
restricted execution model.
However, a number of pre-existing potential issues were discovered and
resolved in the course of the comprehensive security audit that was
performed as a part of the Python upgrade evaluation. Zope 2.6.3 provides
fixes for all of these issues. A description of each issue, who is
affected
and issue status is included below.
For more information on what is new in this release, see the CHANGES.txt
and
HISTORY.txt files for the release:
- http://www.zope.org/Products/Zope/2.6.3/CHANGES.txt
- http://www.zope.org/Products/Zope/2.6.3/HISTORY.txt
For more information on the available Zope releases, guidance for
selecting
the right distribution and installation instructions, please see:
http://www.zope.org/Documentation/Misc/InstallingZope.html
ISSUES RESOLVED BY Zope 2.6.3:
- For loops, list comprehensions, and other iterations in untrusted
code
Issue Description
Iteration over sequences could in some cases fail to check access
to an object obtained from the sequence. Subsequent checks (such
as for attributes access) of such an object would still be
performed, but it should not have been possible to obtain the
object in the first place.
Who Is Affected?
Sites that allow untrusted users to write Python Scripts, Page
Templates, and DTML.
Resolution
This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and
higher. Affected sites are strongly encouraged to update their
Zope installations to prevent this issue.
- List and dictionary instance methods in untrusted code
Issue Description
List and dictionary instance methods such as the get method of
dictionary objects were not security aware and could return an
object without checking access to that object. Subsequent checks
(such as for attributes access) of such an object would still be
performed, but it should not have been possible to obtain the
object in the first place.
Who Is Affected?
Sites that allow untrusted users to write Python Scripts, Page
Templates, and DTML.
Resolution
This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and
higher. Affected sites are strongly encouraged to update their
Zope installations to prevent this issue.
- Use of import as in untrusted code
Issue Description
Use of "import as" in Python scripts could potentially rebind
names in ways that could be used to avoid appropriate security
checks.
Who Is Affected?
Sites that allow untrusted users to write Python Scripts, Page
Templates, and DTML.
Resolution
This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and
higher. Affected sites are strongly encouraged to update their
Zope installations to prevent this issue.
- Use of min, max, enumerate, iter, and sum in untrusted code
Issue Description
A number of newer built-ins were either unavailable in untrusted
code or did not perform adequate security checking.
Who Is Affected?
Sites that allow untrusted users to write Python Scripts, Page
Templates, and DTML.
Resolution
This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and
higher. Affected sites are strongly encouraged to update their
Zope installations to prevent this issue.
- Broken binding validation in untrusted code
Issue Description
The variables bound to page templates and Python scripts such as
"context" and "container" were not checked adequately, allowing
a script to potentially access those objects without ensuring the
necessary permissions on the part of the executing user.
Who Is Affected?
Sites that allow untrusted users to write Python Scripts, Page
Templates, and DTML.
Resolution
This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and
higher. Affected sites are strongly encouraged to update their
Zope installations to prevent this issue.
- Unpacking in untrusted code
Issue Description
Unpacking via function calls, variable assignment, exception
variables and other contexts did not perform adequate security
checks, potentially allowing access to objects that should have
been protected.
Who Is Affected?
Sites that allow untrusted users to write Python Scripts, Page
Templates, and DTML.
Resolution
This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and
higher. Affected sites are strongly encouraged to update their
Zope installations to prevent this issue.
- Unicode passed to RESPONSE.write() could shutdown process
Issue Description
Inadequate type checking could allow unicode values passed to
RESPONSE.write() to be passed into deeper layers of asyncore,
where an exception would eventually be generated at a level that
would cause the Zserver main loop to terminate.
Who Is Affected?
Sites that allow untrusted users to write Python Scripts, Page
Templates, and DTML.
Resolution
This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and
higher. Affected sites are strongly encouraged to update their
Zope installations to prevent this issue.
- PythonScript class security not initialized properly
Issue Description
Class security was not properly intialized for PythonScripts,
potentially allowing access to variables that should be protected.
It turned out that most of the security assertions were in fact
activated as a side effect of other code, but this fix is still
appropriate to ensure that all security declarations are properly
applied.
Who Is Affected?
Sites that use Python Scripts.
Resolution
This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and
higher. Affected sites are strongly encouraged to update their
Zope installations to prevent this issue.
- XML-RPC instance marshaling may disclose protected values
Issue Description
XML-RPC marshalling of class instances used the instance
__dict__ to marshal the object, and could include attributes
prefixed with an underscore name. These attributes are considered
private in Zope and should generally not be disclosed.
Who Is Affected?
All Zope sites.
Resolution
This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4
and higher. Affected sites are strongly encouraged to update
their Zope installations to prevent this issue.
- DTML tag dtml-tree may allow DoS attack
Issue Description
The dtml-tree tag used an "eval" of user-supplied data; its
efforts to prevent abuse were ineffective.
Who Is Affected?
All Zope sites.
Resolution
This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and
higher. Affected sites are strongly encouraged to update their
Zope installations to prevent this issue.
- Potential cross-site scripting problem in default ZSearch interface
Issue Description
Browsers that do not escape html in query strings such as
Internet Explorer 5.5 could potentially send a script tag in a
query string to the ZSearch interface for cross-site scripting.
Who Is Affected?
Sites that use the default ZSearch interface.
Resolution
This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4
and higher. Affected sites are strongly encouraged to update
their Zope installations to prevent this issue.
- Proxy rights on DTMLMethods transferred via acquisition
Issue Description
DTMLMethods with proxy rights could incorrectly transfer those
rights via acquisition when traversing to a parent object.
Who Is Affected?
Sites that allow users who have increased permissions in
subfolders to write DTMLMethods.
Resolution
This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4
and higher. Affected sites are strongly encouraged to update
their Zope installations to prevent this issue.
- Improper security assertions on DTMLDocument objects
Issue Description
Some improper security assertions on DTMLDocument objects could
potentially allow access to members that should be protected.
Who Is Affected?
Sites that use DTMLDocuments for secure content.
Resolution
This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and
higher. Affected sites are strongly encouraged to update their
Zope installations to prevent this issue.
- PropertyManager 'lines' and 'tokens' properties stored as list
Issue Description
Some property types were stored in a mutable data type (list) which
could potentially allow untrusted code to effect changes on those
properties without going through appropriate security checks in
particular scenarios.
Who Is Affected?
Sites that allow untrusted users to write Python Scripts, Page
Templates, and DTML.
Resolution
This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and
higher. Affected sites are strongly encouraged to update their
Zope installations to prevent this issue.
- Inadequate security assertions on admin "find" functions
Issue Description
Inadequate security assertions on administrative "find" methods
could potentially be abused.
Who Is Affected?
All Zope sites.
Resolution
This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and
higher. Affected sites are strongly encouraged to update their
Zope installations to prevent this issue.
- ZTUtils.SimpleTree state handling
Issue Description
The ZTUtils SimpleTree decompressed tree state data from the
request without checking for final size, which could allow for
certain types of DoS attacks.
Who Is Affected?
Sites that rely on the ZTUtils.SimpleTree.
Resolution
This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and
higher. Affected sites are strongly encouraged to update their
Zope installations to prevent this issue.
- Configuration file did not override security policy selection
Issue Description
This is not really a security issue, just a usability issue. It has
always been possible to alternate between C and Python implemenations
of the Zope security policy using certain environment variables. As
of Zope 2.7, use of environment variables is deprecated in favor of
the new 2.7 configuration files. The new configuration machinery was
not implementing the directive used to override the default security
policy.
Who Is Affected?
Zope 2.7 beta users.
Resolution
This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and
higher.