From yasi@yasi.minidns.net  Sun Jul  9 04:54:43 2006
Return-Path: <yasi@yasi.minidns.net>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 72F7216A4DD
	for <FreeBSD-gnats-submit@freebsd.org>; Sun,  9 Jul 2006 04:54:43 +0000 (UTC)
	(envelope-from yasi@yasi.minidns.net)
Received: from yasi.minidns.net (59-190-169-89.eonet.ne.jp [59.190.169.89])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 117A043D45
	for <FreeBSD-gnats-submit@freebsd.org>; Sun,  9 Jul 2006 04:54:42 +0000 (GMT)
	(envelope-from yasi@yasi.minidns.net)
Received: from yasi.minidns.net (localhost.yasi.to [127.0.0.1])
	by yasi.minidns.net (8.13.6/8.13.6) with ESMTP id k694sdxJ023279
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 9 Jul 2006 13:54:39 +0900 (JST)
	(envelope-from yasi@yasi.minidns.net)
Received: (from yasi@localhost)
	by yasi.minidns.net (8.13.6/8.13.6/Submit) id k694scRo023278;
	Sun, 9 Jul 2006 13:54:38 +0900 (JST)
	(envelope-from yasi)
Message-Id: <200607090454.k694scRo023278@yasi.minidns.net>
Date: Sun, 9 Jul 2006 13:54:38 +0900 (JST)
From: HAYASHI Yasushi <yasi@yasi.to>
Reply-To: HAYASHI Yasushi <yasi@yasi.to>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: [maintainer update] www/zope29 update: security Hot Fix 
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         99952
>Category:       ports
>Synopsis:       [maintainer update] www/zope29 update: security Hot Fix
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    itetcu
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          maintainer-update
>Submitter-Id:   current-users
>Arrival-Date:   Sun Jul 09 05:00:29 GMT 2006
>Closed-Date:    Sun Aug 06 13:45:16 GMT 2006
>Last-Modified:  Sun Aug 06 13:45:16 GMT 2006
>Originator:     HAYASHI Yasushi
>Release:        FreeBSD 6.1-STABLE i386
>Organization:
>Environment:
System: FreeBSD notesv.yasi.to 6.1-STABLE FreeBSD 6.1-STABLE #6: Wed Jun 14 02:38:24 JST 2006 yasi@notesv.yasi.to:/usr/obj/usr/src/sys/MYKERNEL i386


	
>Description:
Zope.org released security Hot Fix for Zope 2.x.  See detail at:
   Serious security problem with Zope 2.
   http://www.zope.org/Products/Zope/Hotfix-2006-07-05/Hotfix-2006-07-05/

	
>How-To-Repeat:
	
>Fix:

	

--- zope29.diff begins here ---
diff -urN /usr/ports/www/zope29.old/Makefile /usr/ports/www/zope29/Makefile
--- /usr/ports/www/zope29.old/Makefile	Wed May 17 03:01:44 2006
+++ /usr/ports/www/zope29/Makefile	Sun Jul  9 01:39:26 2006
@@ -7,11 +7,16 @@
 
 PORTNAME=	zope
 PORTVERSION=	2.9.3
+PORTREVISION=	1
 CATEGORIES=	www python zope
-MASTER_SITES=	http://www.zope.org/Products/Zope/${PORTVERSION}/
+MASTER_SITES=	http://www.zope.org/Products/Zope/${PORTVERSION}/ \
+		http://www.zope.org/Products/Zope/Hotfix-2006-07-05/Hotfix-20060705/:hotfix_20060705
 DISTNAME=	Zope-${PORTVERSION}
 EXTRACT_SUFX=	.tgz
+DISTFILES=	${DISTNAME}${EXTRACT_SUFX} \
+		Hotfix_20060705.tar.gz:hotfix_20060705
 DIST_SUBDIR=	zope
+EXTRACT_ONLY=	${DISTNAME}${EXTRACT_SUFX}
 
 MAINTAINER=	yasi@yasi.to
 COMMENT=	An object-based web application platform
@@ -73,6 +78,7 @@
 	${MKDIR} ${ZOPEBASEDIR}/Products
 	${CP} ${FILESDIR}/Products_00readme-freebsd.txt \
 		${ZOPEBASEDIR}/Products/00readme-freebsd.txt
+	${TAR} xzf ${DISTDIR}/${DIST_SUBDIR}/Hotfix_20060705.tar.gz -C ${ZOPEBASEDIR}/Products/
 
 	${FIND} ${ZOPEBASEDIR} -type f -print0 | ${XARGS} -0 -- ${CHMOD} a-w
 
diff -urN /usr/ports/www/zope29.old/distinfo /usr/ports/www/zope29/distinfo
--- /usr/ports/www/zope29.old/distinfo	Mon May 15 16:53:39 2006
+++ /usr/ports/www/zope29/distinfo	Sat Jul  8 20:54:46 2006
@@ -1,3 +1,6 @@
 MD5 (zope/Zope-2.9.3.tgz) = 4e8b4e076cadd6eb62dd4513748cb9f9
 SHA256 (zope/Zope-2.9.3.tgz) = 2c60f25266663d676c1c8c2c6864a038a1b675ff8879cec40fbc72f72efc0bfa
 SIZE (zope/Zope-2.9.3.tgz) = 8010113
+MD5 (zope/Hotfix_20060705.tar.gz) = 6dec58130117fd860adc7fd58f8062e7
+SHA256 (zope/Hotfix_20060705.tar.gz) = 6c7fd09c90e09d553ef454bfd2a7e3ad906a97893b4c14ac4a5f6f2bd23fa287
+SIZE (zope/Hotfix_20060705.tar.gz) = 1076
diff -urN /usr/ports/www/zope29.old/pkg-plist /usr/ports/www/zope29/pkg-plist
--- /usr/ports/www/zope29.old/pkg-plist	Tue May 16 20:49:04 2006
+++ /usr/ports/www/zope29/pkg-plist	Sun Jul  9 13:48:24 2006
@@ -1,4 +1,7 @@
 %%ZOPEBASEDIR%%/Products/00readme-freebsd.txt
+%%ZOPEBASEDIR%%/Products/Hotfix_20060705/README.txt
+%%ZOPEBASEDIR%%/Products/Hotfix_20060705/__init__.py
+%%ZOPEBASEDIR%%/Products/Hotfix_20060705/version.txt
 %%ZOPEBASEDIR%%/bin/analyze.py
 %%ZOPEBASEDIR%%/bin/check_catalog.py
 %%ZOPEBASEDIR%%/bin/checkbtrees.py
@@ -12782,5 +12785,6 @@
 @dirrm %%ZOPEBASEDIR%%/include/python
 @dirrm %%ZOPEBASEDIR%%/include
 @dirrm %%ZOPEBASEDIR%%/bin
+@dirrm %%ZOPEBASEDIR%%/Products/Hotfix_20060705
 @dirrmtry %%ZOPEBASEDIR%%/Products
 @dirrmtry %%ZOPEBASEDIR%%
--- zope29.diff ends here ---


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-ports-bugs->itetcu 
Responsible-Changed-By: itetcu 
Responsible-Changed-When: Sun Jul 9 12:26:05 UTC 2006 
Responsible-Changed-Why:  
I'll take it. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=99952 
State-Changed-From-To: open->feedback 
State-Changed-By: itetcu 
State-Changed-When: Sun Jul 9 12:36:48 UTC 2006 
State-Changed-Why:  
Commited, thanks! Could you also submit a VuXML entry for this problem 
(if there isn't one already) ? 

http://www.freebsd.org/cgi/query-pr.cgi?pr=99952 
State-Changed-From-To: feedback->patched 
State-Changed-By: itetcu 
State-Changed-When: Sun Jul 9 12:37:09 UTC 2006 
State-Changed-Why:  
Patch commited, wainting for  VuXML entry. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=99952 

From: HAYASHI Yasushi <yasi@yasi.to>
To: bug-followup@FreeBSD.org,  yasi@yasi.to,  itetcu@freebsd.org
Cc:  
Subject: Re: ports/99952: [maintainer update] www/zope29 update: security
 Hot Fix
Date: Sun, 09 Jul 2006 23:06:24 +0900

 Thanks for your commiting :-)
 
 How about this my first patch for /usr/ports/security/vuxml/vuln.xml?
 
 
 diff -urN /usr/ports/security/vuxml.old/vuln.xml
 /usr/ports/security/vuxml/vuln.xml
 --- /usr/ports/security/vuxml.old/vuln.xml	Thu Jul  6 19:50:20 2006
 +++ /usr/ports/security/vuxml/vuln.xml	Sun Jul  9 23:00:24 2006
 @@ -6332,6 +6332,42 @@
      </dates>
    </vuln>
 
 +  <vuln vid="ea8c8fd2-0f4a-11db-a61a-0090991a6436">
 +    <topic>zope -- Zope Docutils Information Disclosure
 Vulnerability</topic>
 +    <affects>
 +      <package>
 +	<name>zope</name>
 +	<range><ge>2.7.0</ge><le>2.7.8</le></range>
 +	<range><ge>2.8.0</ge><le>2.8.7</le></range>
 +	<range><ge>2.9.0</ge><le>2.9.3</le></range>
 +      </package>
 +    </affects>
 +    <description>
 +      <body xmlns="http://www.w3.org/1999/xhtml">
 +	<p>A Zope Hotfix Alert reports:</p>
 +	<blockquote
 cite="http://www.zope.org/Products/Zope/Hotfix-2006-07-05/Hotfix-20060705/README.txt">
 +	  <p>This hotfix corrects an information disclosure vulnerability
 +            in Zope2, due to Zope2's use of the docutils module to parse
 +            and render "restructured text".</p>
 +          <p>Sites which allow untrusted users to create restructured
 +            text as through-the-web content should apply this hotfix.</p>
 +          <p>The hotfix may be removed after upgrading to a version of
 +            Zope2 more recent than this hotfix.</p>
 +	</blockquote>
 +      </body>
 +    </description>
 +    <references>
 +      <freebsdpr>ports/99952</freebsdpr>
 +      <bid>18856</bid>
 +
 <url>http://www.zope.org/Products/Zope/Hotfix-2006-07-05/Hotfix-2006-07-05/view</url>
 +
 <url>http://mail.zope.org/pipermail/zope-announce/2006-July/001984.html</url>
 +    </references>
 +    <dates>
 +      <discovery>2006-07-05</discovery>
 +      <entry>2005-07-08</entry>
 +    </dates>
 +  </vuln>
 +
    <vuln vid="d2b80c7c-3aae-11da-9484-00123ffe8333">
      <topic>zope -- expose RestructuredText functionality to untrusted
 users</topic>
      <affects>
 
State-Changed-From-To: patched->closed 
State-Changed-By: itetcu 
State-Changed-When: Sun Aug 6 13:45:14 UTC 2006 
State-Changed-Why:  
Both the update and the VulnXML entry have been commited 

http://www.freebsd.org/cgi/query-pr.cgi?pr=99952 
>Unformatted:
