Normally I do not comment on security patches for Zope because they fix very minor issues. The recent patch announced on http://www.zope.org/Products/Zope/Hotfix_2001-07-25/security_alert is different. We tested the exploit script provided at sourceforge, and it immediately pushed any of our servers we tested it on to > 90% system load. With two or three calls of the script, any Zope server (including all other services running on the server) can be brought to a halt.
Note that people running other Python-based Web systems that use cgi.py should also be paying attention to this. I don't know if WebWare or other larger web systems use cgi.py for form parsing, but I'm sure most plain Python cgi scripts do. Brian Lloyd brian@digicool.com Software Engineer 540.371.6909 Digital Creations www.digicool.com