[Zope-Annce] Hotfix-20040807 Released

Tres Seaver tseaver at zope.com
Tue Aug 10 09:42:02 EDT 2004


Overview

   This hotfix addresses a security issue reported in CMF Collector
   #259 (http://zope.org/Collectors/CMF/259).  This issue concerns
   a defective privilege check in the OFS.CopySupport module,
   which may permit unprivilieged (but authenticated) users of a site
   to move content into a folder under their control.

Affected Versions

   This issue affects Zope version 2.7.2 and earlier, and has been
   resolved for Zope version 2.7.3 and later.  Users of affected Zope
   versions should remove the hotfix after upgrading to version 2.7.3
   or later.

   The hotfix has been tested against 2.6.x versions of Zope as well.

Getting the Hotfix

   The hotfix product is available from the "zope.org site",
   http://zope.org/Products/Zope/Hotfix-200400807/Hotfix-20040807

    - "Unix tarball",
 
http://zope.org/Products/Zope/Hotfix-200400807/Hotfix-20040807/Hotfix-20040807.tar.gz

    - "Windows zipfile",
 
http://zope.org/Products/Zope/Hotfix-200400807/Hotfix-20040807/Hotfix-20040807.zip

    - "README.txt",
      http://zope.org/Products/Zope/Hotfix-200400807/README.txt


Installation

   To install the hotfix, unpack the tarball / zip file into the
   'Products' directory of your site's INSTANCE_HOME, and then restart
   your Zope application server.

   For example, if on your system, the Zope software is installed in
   '/opt/lib/zope2.7', and your instance is in '/var/lib/zope'::

     # cd /var/lib/zope/Products
     # tar xzf /tmp/Hotfix-20040807.tar.gz
     # ../bin/zopectl restart

Removal

   To remove the hotfix after upgrading Zope to version 2.7.3 or later,
   simply remove the product folder and restart the application server.

   For example, for the same setup::

     # cd /var/lib/zope/Products
     # rm -r Hotfix-20040807
     # ../bin/zopectl restart

Tres.
-- 
===============================================================
Tres Seaver                                tseaver at zope.com
Zope Corporation      "Zope Dealers"       http://www.zope.com


More information about the Zope-Announce mailing list