[Zope-Annce] ANNOUNCE: Zope security alert and hotfix release
Brian Lloyd
brian@digicool.com
Mon, 18 Dec 2000 12:31:32 -0500
Hi all -
<Tis the season for hot - fix - es, fa la la la la,
waa waa waa waa...>
Peter Kelly has brought another potential security issue to
our attention that is important enough to make a Hotfix
available for those who allow untrusted users to edit DTML
on their sites.
The issue involves incorrect protection of a data updating method
on Image and File objects. Because the method was not correctly
protected, it was possible for users with DTML editing priveleges
to update the raw data of a File or Image object via DTML though
they did not have editing priveleges on the objects themselves.
We recommend that any Zope site running versions of Zope up to and
including 2.2.4 have this hotfix product installed to mitigate the
issue if the site is accessible by untrusted users who have DTML
editing privileges.
http://www.zope.org/Products/Zope/Hotfix_2000-12-18/README.txt
http://www.zope.org/Products/Zope/Hotfix_2000-12-18/Hotfix_2000-12-18.tgz
The hotfix will work for all versions of Zope 2.1.x and higher. A
Zope 2.2.5 release later this week will contain the fix for this
issue (as well as all hot fixes to date) and you will be able to
uninstall the hot fix after upgrading.
Brian Lloyd brian@digicool.com
Software Engineer 540.371.6909
Digital Creations http://www.digicool.com