[Zope-Annce] SECURITY: Zope security alert and hotfix product...

Brian Lloyd Brian@digicool.com
Thu, 10 Aug 2000 14:15:29 -0400


Hi all - 

  We have recently become aware of an important security issue 
  that affects all released Zope versions prior to 2.2.1 beta 1.

  The issue involves the fact that the getRoles method of user objects 
  contained in the default UserFolder implementation returns a mutable 
  Python type. Because the mutable object is still associated with the 
  persistent User object, users with the ability to edit DTML could 
  arrange to give themselves extra roles for the duration of a single 
  request by mutating the roles list as a part of the request
processing. 

  While we know of no instances of this issue being used to exploit a 
  site, we *highly* recommend that any Zope site running versions of 
  Zope prior to 2.2.1 have this hotfix product installed to mitigate 
  the issue if the site is accessible by untrusted users who have DTML 
  editing privileges.

  A hotfix for this issue in the form of an add-on Zope product has been

  made available on zope.org. To install the hotfix, simply download and

  install the package as you would any other Zope add-on product
(extract 
  it in the root of your Zope installation). Remember to restart your
Zope 
  installation for the hotfix to take effect. 
  
 
http://www.zope.org/Products/Zope/Hotfix_08_09_2000/Hotfix_08_09_2000.tg
z

  The hotfix will work for all versions of Zope 2.0 and higher. The 
  forthcoming Zope 2.2.1 beta 1 release will contain the fix for this 
  issue, and you be able to uninstall the hot fix after upgrading 
  to 2.2.1 beta 1 or higher (though nothing bad will happen if you 
  don't uninstall it).


Brian Lloyd        brian@digicool.com
Software Engineer  540.371.6909              
Digital Creations  http://www.digicool.com