[Zope-Annce] Vulnerability in zdaemon 2.0.5 and earlier

Jim Fulton jim at zope.com
Thu Jun 7 20:12:30 UTC 2012


zdaemon is a Unix (Unix, Linux, Mac OS X) Python program that wraps
commands to make them behave as proper daemons.  See
http://pypi.python.org/pypi/zdaemon.

zdaemon can be configured to start as root and then switch to a less
privileged user.  In version 2.0.5 and earlier, zdaemon didn't update
supplementary groups. Processes started as root retain root's
supplementary groups, likely providing more privileges than intended.
This is fixed by zdaemon 2.0.6.

It's recommended that people using zdaemon 2.0.5 and earlier upgrade
to 2.0.6 at their earliest convenience.

-- 
Jim Fulton


More information about the Zope-Announce mailing list