Happy Holidays all,
Zope 2.2.5 beta 1 has been released - you can download it from
Zope.org:
http://www.zope.org/Products/Zope/2.2.5b1/
This release contains a number of bug fixes, and includes all Hotfixes
to date. It includes the fix for a memory leak that could occur when
accessing SQL data through aliased names, a fix for a problem with
contention between concurrent POST requests and a number of fixes to
improve support for current WebDAV-aware clients such as Adobe GoLive.
Note that this release contains a change to the ExtensionClass binary -
if you are running a source release you should rebuild the Zope binaries
after upgrading or applying a "diff" update.
For more information on what is new in this release, see the CHANGES.txt
and HISTORY.txt files for the release:
http://www.zope.org/Products/Zope/2.2.5b1/CHANGES.txthttp://www.zope.org/Products/Zope/2.2.5b1/HISTORY.txt
Note that we have also posted "diff" updates as .tgz files that will let
you easily upgrade an existing 2.2.x site. These updates are available for
those currently using the 2.2.x source release or the 2.2.x binary
releases.
To apply a differential update to your site:
- download the appropriate .tgz file from zope.org
- shutdown your Zope process
- copy the .tgz to your Zope directory and extract it
- run w_pcgi or wo_pcgi *if you are not using a binary release*
- restart your process
Brian Lloyd brian(a)digicool.com
Software Engineer 540.371.6909
Digital Creations http://www.digicool.com
hello all,
available immediately from our website via this address:
http://www.beehive.de/zope/hosting/guide.html
is the first edition of the Zope Hosting Guide.
here are the highlights:
- free
- 23 pages
- written for beginners
- work in progress (many more releases to come)
regards,
mark
--------------------------------------------------------------
mark pratt (managing director) mark(a)beehive.de
beehive elektronische medien GmbH http://www.beehive.de
phone: +49 30 847-82 0 fax: +49 30 847-82 299
Hi all -
<Tis the season for hot - fix - es, fa la la la la,
waa waa waa waa...>
Peter Kelly has brought another potential security issue to
our attention that is important enough to make a Hotfix
available for those who allow untrusted users to edit DTML
on their sites.
The issue involves incorrect protection of a data updating method
on Image and File objects. Because the method was not correctly
protected, it was possible for users with DTML editing priveleges
to update the raw data of a File or Image object via DTML though
they did not have editing priveleges on the objects themselves.
We recommend that any Zope site running versions of Zope up to and
including 2.2.4 have this hotfix product installed to mitigate the
issue if the site is accessible by untrusted users who have DTML
editing privileges.
http://www.zope.org/Products/Zope/Hotfix_2000-12-18/README.txthttp://www.zope.org/Products/Zope/Hotfix_2000-12-18/Hotfix_2000-12-18.tgz
The hotfix will work for all versions of Zope 2.1.x and higher. A
Zope 2.2.5 release later this week will contain the fix for this
issue (as well as all hot fixes to date) and you will be able to
uninstall the hot fix after upgrading.
Brian Lloyd brian(a)digicool.com
Software Engineer 540.371.6909
Digital Creations http://www.digicool.com
The version of the Hotfix uploaded initially was flawed :(
I have made new one (Hotfix_2000-12-15a) and put
redirects at the old location in case people get the
original announcement and not this email.
If you were quick on the trigger and downloaded the hotfix
within an hour or so of the announcement you should get the
updated (15a) one, as the flaw may prevent you from adding
objects on your site.
TGIF,
Brian Lloyd brian(a)digicool.com
Software Engineer 540.371.6909
Digital Creations http://www.digicool.com
Hi all -
A security issue has recently come to our attention (thanks to
Erik Enge for identifying this) that affects Zope versions up to
and including Zope 2.2.4.
The issue involves the computation of local roles. In some situations
the computation was not climbing the correct hierarchy of folders,
sometimes granting local roles inappropriately. This could allow
users with privileges in one folder to gain the same privileges in
another folder.
We *highly* recommend that any Zope site running versions of
Zope up to and including 2.2.4 have this hotfix product installed
to mitigate the issue.
- http://www.zope.org/Products/Zope/Hotfix_2000-12-15/README.txt
-
http://www.zope.org/Products/Zope/Hotfix_2000-12-15/Hotfix_2000-12-15.tgz
The hotfix will work for all versions of Zope 2.2.0 and higher. A
future version of Zope will contain the fix for this
issue, and you will be able to uninstall the hot fix after upgrading.
Note that we will be making a Zope 2.2.5 release early next week
that includes the fix for this issue as well as the issue addressed
by the recent 12/08 hotfix.
Brian Lloyd brian(a)digicool.com
Software Engineer 540.371.6909
Digital Creations http://www.digicool.com
I had some reports yesterday of the Core Session Tracking development code
not working against recent Zope 2.2 releases, so I removed dependencies in
the code on the Interface module which were causing the incompatibilities.
CoreSessionTracking 0.1 will work against Zope 2.3a1, but not against Zope
2.2.3, 2.2.4, etc.
A new release of the code which has these dependencies removed, 0.2, is
available from
http://www.zope.org/Members/mcdonc/Products/CoreSessionTracking . This
release works against all Zope 2.2.X based systems, AFAIK.
Thanks!
- Chris
On the heels of Brian's announcement, we are gurgling with joy to announce
a sychronized release of the Zope Book for the Zope 2.3 alpha release.
http://www.zope.org/Members/michel/ZB/
This release marks the first time the book and Zope are "in sync" enough
for you to be able to fully try out all the examples and understand all
the concepts.
This also marks the first time in long time that Zope has a (fairly)
complete, up-to-date manual! Truely exciting times are these. Remember
though, both the software *and* the manual are alpha, they both will have
bugs. Please report any bugs, suggestions, or comments in the book to
docs(a)digicool.com.
Happy reading!
-Michel
Hello all,
As promised, Zope 2.3.0 alpha 1 is now available. You can
download it from Zope.org:
http://www.zope.org/Products/Zope/2.3.0a1/
This release contains a number of important new usability
features, and also marks the first release where a
substantial amount of the work done happened in the Fishbowl
on dev.zope.org. Some highlights of this release:
- Python Scripts are now part of the Zope core. Big whopping
kudos to Evan Simpson for all of the work he has put into
this! Having Python Scripts in the core will allow people
to much more easily separate logic and presentation (and
get that logic out of DTML!) More information and prototype
documentation for Python Scripts can be found in the
dev.zope.org project:
http://dev.zope.org/Wikis/DevSite/Projects/PythonMethods
- The process of creating an initial user at install time
has finally been fixed. Before you had to create a superuser,
login as the superuser, create a normal manager, logout, then
log back in as the normal manager. This was obtuse and caused
big problems for newbies who would log in as the superuser and
start trying to work immediately (leading to errors since the
superuser cannot own objects).
This process is now much more sane. Now, at install time a
default initial manager (not a superuser) is created. The
superuser has been renamed to the "emergency user" and is
not even created by default. If you ever have a need to log
in as the emergency user, you can use zpasswd.py to create it.
- The new security assertion support has been checked in. For
more information and an updated version of the "Zope security
for developers" guide see the project on dev.zope.org:
http://dev.zope.org/Wikis/DevSite/Projects/DeclarativeSecurity
- Added new getId() method to SimpleItem.Item. This should
now be used instead of referencing 'object.id' directly,
as it is guaranteed to always be a method and to always
return the right thing regardless of how the id of the
object is stored internally. This relieves DTML writers of
the contortions they previously had to go through to handle
varying cases of 'id' being a method or an attribute.
- Improved Ownership controls. Now you simply choose whether
or not to take ownership of sub-objects when taking
ownership. Implementation details about whether ownership
is implicit or explicit are no longer forced on the user.
- Unit testing infrastructure for the Zope core. PyUnit has been
checked in, and a utility has been added that will allow us to
incrementally begin accumulating (and running) test suites. The
new testrunner.py in the utilities directory is a basic utility
for running PyUnit based unit tests. It can
be used to run all tests found in the Zope tree, all test suites
in a given directory or in specific files. The testrunner will
be used to ensure that all checked in tests pass before releases
are made. For more information, see the docstring of the actual
testrunner.py module.
For more information on what is new in this release, see the
CHANGES.txt and HISTORY.txt files for the release:
http://www.zope.org/Products/Zope/2.3.0a1/CHANGES.txthttp://www.zope.org/Products/Zope/2.3.0a1/HISTORY.txt
*Please note* that we do not build binary distributions for alpha
releases - the alpha is available as a source release only. When we
move into the beta period for 2.3, we will build and distribute
binary releases.
Brian Lloyd brian(a)digicool.com
Software Engineer 540.371.6909
Digital Creations http://www.digicool.com
Hi all,
Aleksander Salwa has brought a security issue to our attention
that affects all Zope versions up to and including Zope 2.2.4.
We have released a Hotfix product to address the issue that can
be downloaded from zope.org. (Thanks to Aleksander for finding
this and to Shane Hathaway for his quick response in resolving
it!)
The issue involves security registration of "legacy" names for
certain object constructors such as the constructors for DTML
Method objects. Security was not being applied correctly for the
legacy names, making it possible to call those constructors without
the permissions that should have been required. This issue could allow
anonymous users with enough internal knowledge of Zope to instantiate
new DTML Method instances through the Web.
The hotfix for this issue is available on the zope.org web site:
o
http://www.zope.org/Products/Zope/Hotfix_2000-12-08/Hotfix_2000-12-08.tgz
We *highly* recommend that any Zope site running versions of
Zope up to and including 2.2.4 have this hotfix product installed
to mitigate the issue.
The hotfix will work for all versions of Zope 2.2.0 and higher. A
future version of Zope will contain the fix for this
issue, and you will be able to uninstall the hot fix after upgrading.
Brian Lloyd brian(a)digicool.com
Software Engineer 540.371.6909
Digital Creations http://www.digicool.com