A new Zope hotfix has been issued which addresses an important security issue that affects Zope version 2.3.3, all Zope 2.4.0 alpha and beta releases, as well as the final release of Zope 2.4.0. We *highly* recommend that any Zope site running Zope 2.3.3, Zope 2.4.0 final or any alpha or beta version of 2.4.0 have this hotfix product installed to mitigate the issue. Zope 2.4.1 will contain a fix for the issue, at which time the hotfix can be removed. Zope versions prior to 2.3.3 are not affected by this issue. Thanks to Ron Bickers for providing a reproducible test case For more information, see: http://www.zope.org/Products/Zope/Hotfix_2001-08-04/README.txt http://www.zope.org/Products/Zope/Hotfix_2001-08-04/Hotfix_2001_08_04.tgz ---------- Chris McDonough Zope Corporation http://www.zope.org http://www.zope.com """ Killing hundreds of birds with thousands of stones """
http://www.zope.org/Products/Zope/Hotfix_2001-08-04/README.txt
Does this problem affect Zope setups where semi-trusted users are _not_ allowed to edit TTW code? cheers, Chris
Yes, as users can call a Method A, which they shouldn't be able to call via the publisher because it's defined in a place where they shouldn't be able to get to it, given that they have a Role X in the place they're defined, and Method A is protected also by a permission granted to role X. ----- Original Message ----- From: "Chris Withers" <chrisw@nipltd.com> To: "Chris McDonough" <chrism@zope.com>; <zope@zope.org> Sent: Saturday, August 04, 2001 5:19 PM Subject: Re: [Zope] ATTN: Zope Security Alert
http://www.zope.org/Products/Zope/Hotfix_2001-08-04/README.txt
Does this problem affect Zope setups where semi-trusted users are _not_ allowed to edit TTW code?
cheers,
Chris
participants (2)
-
Chris McDonough -
Chris Withers