blob: 8da88f8bd0daaa4dfd0d2759e1e1ace2eaa788c8 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
|
%global _empty_manifest_terminate_build 0
Name: python-Products.PloneHotfix20210518
Version: 1.6
Release: 1
Summary: Various Plone hotfixes, 2021-05-18
License: GPL
URL: https://plone.org/security/hotfix/20210518
Source0: https://mirrors.aliyun.com/pypi/web/packages/84/82/4cbd7bab685000b7a4df20745886f752cbece8bb2dcc5ceede9ba2a0ef62/Products.PloneHotfix20210518-1.6.tar.gz
BuildArch: noarch
Requires: python3-setuptools
%description
This hotfix fixes several security issues:
- Remote Code Execution via traversal in expressions via aliases.
Reported by David Miller.
- Remote Code Execution via traversal in expressions (no aliases).
Reported by Calum Hutton.
- Remote Code Execution via traversal in expressions via string formatter.
Reported by David Miller.
- Writing arbitrary files via docutils and Python Script.
Reported by Calum Hutton.
- Stored XSS from file upload (svg, html).
Reported separately by Emir Cüneyt Akkutlu and Tino Kautschke.
- XSS vulnerability in CMFDiffTool.
Reported by Igor Margitich.
- Reflected XSS in various spots.
Reported by Calum Hutton.
- Various information disclosures: GS, QI, all_users.
Reported by Calum Hutton.
- Stored XSS from user fullname.
Reported by Tino Kautschke.
- Blind SSRF via feedparser accessing an internal URL.
Reported by Subodh Kumar Shree.
- Server Side Request Forgery via event ical URL.
Reported by MisakiKata and David Miller.
- Server Side Request Forgery via lxml parser.
Reported by MisakiKata and David Miller.
- XSS in folder contents on Plone 5.0 and higher.
Reported by Matt Moreschi.
Only included since version 1.5 of the hotfix.
- Remote Code Execution via Python Script.
Reported by Calum Hutton.
Only Plone 5.2 on Python 3 is vulnerable.
Only included since version 1.6 of the hotfix.
%package -n python3-Products.PloneHotfix20210518
Summary: Various Plone hotfixes, 2021-05-18
Provides: python-Products.PloneHotfix20210518
BuildRequires: python3-devel
BuildRequires: python3-setuptools
BuildRequires: python3-pip
%description -n python3-Products.PloneHotfix20210518
This hotfix fixes several security issues:
- Remote Code Execution via traversal in expressions via aliases.
Reported by David Miller.
- Remote Code Execution via traversal in expressions (no aliases).
Reported by Calum Hutton.
- Remote Code Execution via traversal in expressions via string formatter.
Reported by David Miller.
- Writing arbitrary files via docutils and Python Script.
Reported by Calum Hutton.
- Stored XSS from file upload (svg, html).
Reported separately by Emir Cüneyt Akkutlu and Tino Kautschke.
- XSS vulnerability in CMFDiffTool.
Reported by Igor Margitich.
- Reflected XSS in various spots.
Reported by Calum Hutton.
- Various information disclosures: GS, QI, all_users.
Reported by Calum Hutton.
- Stored XSS from user fullname.
Reported by Tino Kautschke.
- Blind SSRF via feedparser accessing an internal URL.
Reported by Subodh Kumar Shree.
- Server Side Request Forgery via event ical URL.
Reported by MisakiKata and David Miller.
- Server Side Request Forgery via lxml parser.
Reported by MisakiKata and David Miller.
- XSS in folder contents on Plone 5.0 and higher.
Reported by Matt Moreschi.
Only included since version 1.5 of the hotfix.
- Remote Code Execution via Python Script.
Reported by Calum Hutton.
Only Plone 5.2 on Python 3 is vulnerable.
Only included since version 1.6 of the hotfix.
%package help
Summary: Development documents and examples for Products.PloneHotfix20210518
Provides: python3-Products.PloneHotfix20210518-doc
%description help
This hotfix fixes several security issues:
- Remote Code Execution via traversal in expressions via aliases.
Reported by David Miller.
- Remote Code Execution via traversal in expressions (no aliases).
Reported by Calum Hutton.
- Remote Code Execution via traversal in expressions via string formatter.
Reported by David Miller.
- Writing arbitrary files via docutils and Python Script.
Reported by Calum Hutton.
- Stored XSS from file upload (svg, html).
Reported separately by Emir Cüneyt Akkutlu and Tino Kautschke.
- XSS vulnerability in CMFDiffTool.
Reported by Igor Margitich.
- Reflected XSS in various spots.
Reported by Calum Hutton.
- Various information disclosures: GS, QI, all_users.
Reported by Calum Hutton.
- Stored XSS from user fullname.
Reported by Tino Kautschke.
- Blind SSRF via feedparser accessing an internal URL.
Reported by Subodh Kumar Shree.
- Server Side Request Forgery via event ical URL.
Reported by MisakiKata and David Miller.
- Server Side Request Forgery via lxml parser.
Reported by MisakiKata and David Miller.
- XSS in folder contents on Plone 5.0 and higher.
Reported by Matt Moreschi.
Only included since version 1.5 of the hotfix.
- Remote Code Execution via Python Script.
Reported by Calum Hutton.
Only Plone 5.2 on Python 3 is vulnerable.
Only included since version 1.6 of the hotfix.
%prep
%autosetup -n Products.PloneHotfix20210518-1.6
%build
%py3_build
%install
%py3_install
install -d -m755 %{buildroot}/%{_pkgdocdir}
if [ -d doc ]; then cp -arf doc %{buildroot}/%{_pkgdocdir}; fi
if [ -d docs ]; then cp -arf docs %{buildroot}/%{_pkgdocdir}; fi
if [ -d example ]; then cp -arf example %{buildroot}/%{_pkgdocdir}; fi
if [ -d examples ]; then cp -arf examples %{buildroot}/%{_pkgdocdir}; fi
pushd %{buildroot}
if [ -d usr/lib ]; then
find usr/lib -type f -printf "\"/%h/%f\"\n" >> filelist.lst
fi
if [ -d usr/lib64 ]; then
find usr/lib64 -type f -printf "\"/%h/%f\"\n" >> filelist.lst
fi
if [ -d usr/bin ]; then
find usr/bin -type f -printf "\"/%h/%f\"\n" >> filelist.lst
fi
if [ -d usr/sbin ]; then
find usr/sbin -type f -printf "\"/%h/%f\"\n" >> filelist.lst
fi
touch doclist.lst
if [ -d usr/share/man ]; then
find usr/share/man -type f -printf "\"/%h/%f.gz\"\n" >> doclist.lst
fi
popd
mv %{buildroot}/filelist.lst .
mv %{buildroot}/doclist.lst .
%files -n python3-Products.PloneHotfix20210518 -f filelist.lst
%dir %{python3_sitelib}/*
%files help -f doclist.lst
%{_docdir}/*
%changelog
* Fri Jun 09 2023 Python_Bot <Python_Bot@openeuler.org> - 1.6-1
- Package Spec generated
|
