ANNOUNCE: Zope 2.6.3 Release and Security Update

Brian Lloyd brian@zope.com
Thu, 8 Jan 2004 20:19:12 -0500


Zope 2.6.3 Release and Security Update

  Zope 2.6.3 contains a number of security related fixes for issues
  resolved during a comprehensive security audit conducted in Q4
  2003. You may download Zope 2.6.3 from Zope.org:

    http://www.zope.org/Products/Zope/2.6.3/

  **Users of the VerboseSecurity add-on product for Zope please note:** some
of
  the security-related changes in Zope 2.6.3 are incompatible with the
VerboseSecurity
  product. Please uninstall the VerboseSecurity product before upgrading to
2.6.3 to
  avoid problems. It is expected that VerboseSecurity will be updated to be
compatible
  with Zope 2.6.3 in the near future.

  Also note that there are binary code changes in the 2.6.3 release, making
  it impossible to issue an external "hotfix" to resolve these issues. CVS
  users should be sure to update their sites **and rebuild the C Python
  extensions** to ensure that all fixes are deployed.

  In the fourth quarter of 2003, a comprehensive evaluation of the changes
  to Python from version 2.1 to 2.3.3 was undertaken. This evaluation was
  designed to assess each change to the Python environment in terms of its
  potential impact on the Zope application server and Zope applications,
  with the goal of making Python 2.3.3 the required Python platform for
  Zope beginning with Zope 2.7.

  The evaluation was focused on assessing changes to Python in the
  following contexts:

    - Changes that would have compatibility or other effects on existing
      or new Zope applications

    - Changes that could potentially affect the Zope security architecture
      or change the behavior of the restricted execution environment used
      by Zope to run untrusted code


  In the course of the evaluation, very few of the Python changes in 2.3.3
  directly affected the Zope security architecture or had impacts on the
  restricted execution model.

  However, a number of pre-existing potential issues were discovered and
  resolved in the course of the comprehensive security audit that was
  performed as a part of the Python upgrade evaluation. Zope 2.6.3 provides
  fixes for all of these issues. A description of each issue, who is
affected
  and issue status is included below.

  For more information on what is new in this release, see the CHANGES.txt
and
  HISTORY.txt files for the release:

    - http://www.zope.org/Products/Zope/2.6.3/CHANGES.txt

    - http://www.zope.org/Products/Zope/2.6.3/HISTORY.txt

  For more information on the available Zope releases, guidance for
selecting
  the right distribution and installation instructions, please see:

    http://www.zope.org/Documentation/Misc/InstallingZope.html



  ISSUES RESOLVED BY Zope 2.6.3:

  - For loops, list comprehensions, and other iterations in untrusted
     code

    Issue Description

    Iteration over sequences could in some cases fail to check access
    to an object obtained from the sequence. Subsequent checks (such
    as for attributes access) of such an object would still be
    performed, but it should not have been possible to obtain the
    object in the first place.

    Who Is Affected?

    Sites that allow untrusted users to write Python Scripts, Page
    Templates, and DTML.

    Resolution

    This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and
    higher. Affected sites are strongly encouraged to update their
    Zope installations to prevent this issue.


  - List and dictionary instance methods in untrusted code

    Issue Description

    List and dictionary instance methods such as the get method of
    dictionary objects were not security aware and could return an
    object without checking access to that object. Subsequent checks
    (such as for attributes access) of such an object would still be
    performed, but it should not have been possible to obtain the
    object in the first place.

    Who Is Affected?

    Sites that allow untrusted users to write Python Scripts, Page
    Templates, and DTML.

    Resolution

    This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and
    higher. Affected sites are strongly encouraged to update their
    Zope installations to prevent this issue.


  - Use of  import as  in untrusted code

    Issue Description

    Use of "import as" in Python scripts could potentially rebind
    names in ways that could be used to avoid appropriate security
    checks.

    Who Is Affected?

    Sites that allow untrusted users to write Python Scripts, Page
    Templates, and DTML.

    Resolution

    This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and
    higher. Affected sites are strongly encouraged to update their
    Zope installations to prevent this issue.


  - Use of min, max, enumerate, iter, and sum in untrusted code

    Issue Description

    A number of newer built-ins were either unavailable in untrusted
    code or did not perform adequate security checking.

    Who Is Affected?

    Sites that allow untrusted users to write Python Scripts, Page
    Templates, and DTML.

    Resolution

    This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and
    higher. Affected sites are strongly encouraged to update their
    Zope installations to prevent this issue.


  - Broken binding validation in untrusted code

    Issue Description

    The variables bound to page templates and Python scripts such as
    "context" and "container" were not checked adequately, allowing
    a script to potentially access those objects without ensuring the
    necessary permissions on the part of the executing user.

    Who Is Affected?

    Sites that allow untrusted users to write Python Scripts, Page
    Templates, and DTML.

    Resolution

    This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and
    higher. Affected sites are strongly encouraged to update their
    Zope installations to prevent this issue.


  - Unpacking in untrusted code

    Issue Description

    Unpacking via function calls, variable assignment, exception
    variables and other contexts did not perform adequate security
    checks, potentially allowing access to objects that should have
    been protected.

    Who Is Affected?

    Sites that allow untrusted users to write Python Scripts, Page
    Templates, and DTML.

    Resolution

    This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and
    higher. Affected sites are strongly encouraged to update their
    Zope installations to prevent this issue.


  - Unicode passed to RESPONSE.write() could shutdown process

    Issue Description

    Inadequate type checking could allow unicode values passed to
    RESPONSE.write() to be passed into deeper layers of asyncore,
    where an exception would eventually be generated at a level that
    would cause the Zserver main loop to terminate.

    Who Is Affected?

    Sites that allow untrusted users to write Python Scripts, Page
    Templates, and DTML.

    Resolution

    This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and
    higher. Affected sites are strongly encouraged to update their
    Zope installations to prevent this issue.


  - PythonScript class security not initialized properly

    Issue Description

    Class security was not properly intialized for PythonScripts,
    potentially allowing access to variables that should be protected.
    It turned out that most of the security assertions were in fact
    activated as a side effect of other code, but this fix is still
    appropriate to ensure that all security declarations are properly
    applied.

    Who Is Affected?

    Sites that use Python Scripts.

    Resolution

    This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and
    higher. Affected sites are strongly encouraged to update their
    Zope installations to prevent this issue.


  - XML-RPC instance marshaling may disclose protected values

    Issue Description

    XML-RPC marshalling of class instances used the instance
    __dict__ to marshal the object, and could include attributes
   prefixed with an underscore name. These attributes are considered
   private in Zope and should generally not be disclosed.

    Who Is Affected?

    All Zope sites.

    Resolution
    This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4
    and higher. Affected sites are strongly encouraged to update
    their Zope installations to prevent this issue.


  - DTML tag dtml-tree may allow DoS attack

    Issue Description

    The dtml-tree tag used an "eval" of user-supplied data; its
    efforts to prevent abuse were ineffective.

    Who Is Affected?

    All Zope sites.

    Resolution

    This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and
    higher. Affected sites are strongly encouraged to update their
    Zope installations to prevent this issue.


  - Potential cross-site scripting problem in default ZSearch interface

    Issue Description
    Browsers that do not escape html in query strings such as
    Internet Explorer 5.5 could potentially send a script tag in a
    query string to the ZSearch interface for cross-site scripting.

    Who Is Affected?
    Sites that use the default ZSearch interface.

    Resolution
    This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4
    and higher. Affected sites are strongly encouraged to update
    their Zope installations to prevent this issue.


  - Proxy rights on DTMLMethods transferred via acquisition

    Issue Description

    DTMLMethods with proxy rights could incorrectly transfer those
    rights via acquisition when traversing to a parent object.

    Who Is Affected?

    Sites that allow users who have increased permissions in
    subfolders to write DTMLMethods.

    Resolution

    This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4
    and higher. Affected sites are strongly encouraged to update
    their Zope installations to prevent this issue.


  - Improper security assertions on DTMLDocument objects

    Issue Description

    Some improper security assertions on DTMLDocument objects could
    potentially allow access to members that should be protected.

    Who Is Affected?

    Sites that use DTMLDocuments for secure content.

    Resolution

    This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and
    higher. Affected sites are strongly encouraged to update their
    Zope installations to prevent this issue.


  - PropertyManager 'lines' and 'tokens' properties stored as list

    Issue Description

    Some property types were stored in a mutable data type (list) which
    could potentially allow untrusted code to effect changes on those
    properties without going through appropriate security checks in
    particular scenarios.

    Who Is Affected?

    Sites that allow untrusted users to write Python Scripts, Page
    Templates, and DTML.

    Resolution

    This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and
    higher. Affected sites are strongly encouraged to update their
    Zope installations to prevent this issue.


  - Inadequate security assertions on admin "find" functions

    Issue Description

    Inadequate security assertions on administrative "find" methods
    could potentially be abused.

    Who Is Affected?

    All Zope sites.

    Resolution

    This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and
    higher. Affected sites are strongly encouraged to update their
    Zope installations to prevent this issue.


  - ZTUtils.SimpleTree state handling

    Issue Description

    The ZTUtils SimpleTree decompressed tree state data from the
    request without checking for final size, which could allow for
    certain types of DoS attacks.

    Who Is Affected?

    Sites that rely on the ZTUtils.SimpleTree.

    Resolution

    This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and
    higher. Affected sites are strongly encouraged to update their
    Zope installations to prevent this issue.


  - Configuration file did not override security policy selection

    Issue Description

    This is not really a security issue, just a usability issue. It has
    always been possible to alternate between C and Python implemenations
    of the Zope security policy using certain environment variables. As
    of Zope 2.7, use of environment variables is deprecated in favor of
    the new 2.7 configuration files. The new configuration machinery was
    not implementing the directive used to override the default security
    policy.

    Who Is Affected?

    Zope 2.7 beta users.

    Resolution

    This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and
    higher.