[Zope-PTK] Security Release: Membership 0.7.6

Bill Anderson bill@noreboots.com
Wed, 20 Sep 2000 23:07:02 -0600


Tres Seaver wrote:
> 
> Bill Anderson wrote:
> >
> > This is a security fix release.
> >
> > Membership 0.7.5  had an annoyingly nasty security bug. This bug has
> > been fixed, and is the only change in this release. It is *strongly*
> > recommended you NOT use anything prior to this release.
> >
> > To Upgrade from 0.7.5:
> > o Untar the release file in your ZOPE_HOME.
> > o Restart Zope
> >
> > The changes are in PersistentUserSource.py, and are minor, so the
> > upgrade should go smoothly. This is in relation to 0.7.5.
> 
> Is this upgrade by any chance related to the problem Michael Bernstein
> reported with local roles? 

Sort of.

> He wrote:
> 
> > For some reason, when I create a PortalMembership member, add the two
> > Python methods as I described earlier, and use the local roles screen to
> > give them a role, they are subsequently authenticated regardless of
> > whether their password is correct.
> 
> I don't know the Membership product well enough to figure out whether
> these two are related.

It is in part the authenticateUser mehtod in LoginManager. I know,
because I duplicated it in Membership (copy->past) to test. Moreover, it
manifests itself only on some OSes.

For example, the code in LoginManager (UserSource.py ?) works fine on
Linux. Passwords are stored encrypted, and are properly compared. On
HPUX, it does not work, and apparently neither does it work on Solaris
(which is what MB is running on).

It seems to be related to the crypt functions functioning part-time,
though beyond that I haven't found much more to go on.

I do have workarounds for HPUX and Solaris, but they involve modifying
the code to PersistenUserSource.py in Membership, to account for the
lack of the encryption. Specifically, to ignore all attempts to encrypt
anything.

I'd rather be able to figure out _why_ it doesn't work as it should.




--
E PLURIBUS LINUX