Overview This hotfix addresses a security issue reported in CMF Collector #259 (http://zope.org/Collectors/CMF/259). This issue concerns a defective privilege check in the OFS.CopySupport module, which may permit unprivilieged (but authenticated) users of a site to move content into a folder under their control. Affected Versions This issue affects Zope version 2.7.2 and earlier, and has been resolved for Zope version 2.7.3 and later. Users of affected Zope versions should remove the hotfix after upgrading to version 2.7.3 or later. The hotfix has been tested against 2.6.x versions of Zope as well. Getting the Hotfix The hotfix product is available from the "zope.org site", http://zope.org/Products/Zope/Hotfix-200400807/Hotfix-20040807 - "Unix tarball", http://zope.org/Products/Zope/Hotfix-200400807/Hotfix-20040807/Hotfix-200408... - "Windows zipfile", http://zope.org/Products/Zope/Hotfix-200400807/Hotfix-20040807/Hotfix-200408... - "README.txt", http://zope.org/Products/Zope/Hotfix-200400807/README.txt Installation To install the hotfix, unpack the tarball / zip file into the 'Products' directory of your site's INSTANCE_HOME, and then restart your Zope application server. For example, if on your system, the Zope software is installed in '/opt/lib/zope2.7', and your instance is in '/var/lib/zope':: # cd /var/lib/zope/Products # tar xzf /tmp/Hotfix-20040807.tar.gz # ../bin/zopectl restart Removal To remove the hotfix after upgrading Zope to version 2.7.3 or later, simply remove the product folder and restart the application server. For example, for the same setup:: # cd /var/lib/zope/Products # rm -r Hotfix-20040807 # ../bin/zopectl restart Tres. -- =============================================================== Tres Seaver tseaver@zope.com Zope Corporation "Zope Dealers" http://www.zope.com