Bug 111119 - [update] www/zope change to FORBIDDEN
Summary: [update] www/zope change to FORBIDDEN
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: Stefan Walter
Depends on:
Reported: 2007-04-02 02:20 UTC by HAYASHI Yasushi
Modified: 2007-04-12 12:27 UTC (History)
0 users

See Also:

file.diff (467 bytes, patch)
2007-04-02 02:20 UTC, HAYASHI Yasushi
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description HAYASHI Yasushi 2007-04-02 02:20:08 UTC
Zope.org announced cross-site scripting vulnerability in Zope 2.7.x.
But there is no Hotfix supported offcially.
See: http://www.zope.org/Products/Zope/Hotfix-2007-03-20/Hotfix-20070320/README.txt

The time has come that Zope 2.7.x should be FORBIDDEN.

Next, I MUST change Mk/bsd.python.mk to remove Zope 2.7.x.
But I don't have certain idea for it.

Fix: Patch attached with submission follows:
Comment 1 Edwin Groothuis freebsd_committer 2007-04-02 02:20:14 UTC
State Changed
From-To: open->feedback

Awaiting maintainers feedback
Comment 2 Gerhard Schmidt 2007-04-02 09:48:04 UTC
On Mon, Apr 02, 2007 at 01:20:12AM +0000, Edwin Groothuis wrote:
> Maintainer of www/zope,
> Please note that PR ports/111119 has just been submitted.
> If it contains a patch for an upgrade, an enhancement or a bug fix
> you agree on, reply to this email stating that you approve the patch
> and a committer will take care of it.
> The full text of the PR can be found at:
>     http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/111119

I have a  problem with removing Zope2.7 from the Portstree (what this port
effectively does). As The Hotfix isn't part of the distribution and a stated
several times that it shouldn't be part of the port. It's still in use 
an upgradeing isn't straight forward.  

Gerhard Schmidt    | Nick : estartu      IRC : Estartu  |
Fischbachweg 3     |                                    |  PGP Public Key
86856 Hiltenfingen | Privat: estartu@augusta.de         |   auf Anfrage/
Tel: 08232 77 36 4 | Dienst: schmidt@ze.tu-muenchen.de  |    on request
Fax: 08232 77 36 3 |                                    |
Comment 3 Stefan Walter freebsd_committer 2007-04-05 13:49:51 UTC
Responsible Changed
From-To: freebsd-ports-bugs->stefan

Comment 4 Stefan Walter freebsd_committer 2007-04-05 14:09:19 UTC
Hi Gerhard,

marking the port FORBIDDEN does not remove it from the ports tree. It
mainly tells the user that a port should not be installed. The port can
still be installed by commenting out FORBIDDEN in the Makefile.

If a fix for this security vulnerability is not available, the port should
clearly be marked FORBIDDEN. Please see the section in the Porter's
Handbook about this, too [1].


[1]: http://www.freebsd.org/doc/en_US.ISO8859-1/books/porters-handbook/dads-noinstall.html
Comment 5 dfilter service freebsd_committer 2007-04-08 12:24:23 UTC
stefan      2007-04-08 11:24:18 UTC

  FreeBSD ports repository

  Modified files:
    www/zope             Makefile 
  Mark FORBIDDEN due to cross-site scripting vulnerability.
  PR:             111119
  Submitted by:   Yasushi Hayashi<yasi@yasi.to>
  Revision  Changes    Path
  1.75      +2 -0      ports/www/zope/Makefile
cvs-all@freebsd.org mailing list
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 6 Stefan Walter freebsd_committer 2007-04-08 12:33:09 UTC
Please note that I have marked www/zope FORBIDDEN now. Users may still
decide to install the port, but it prevents installation without knowing
about the vulnerability. The FORBIDDEN mark can be removed as soon as the
software isn't vulnerable after installation via the port.

Comment 7 Stefan Walter freebsd_committer 2007-04-12 12:26:22 UTC
State Changed
From-To: feedback->closed

The port www/zope has been marked FORBIDDEN.