[Zope-dev] Zope 2.1.4 released...

Brian Lloyd Brian@digicool.com
Wed, 9 Feb 2000 16:54:48 -0500


Hi all, 

Zope 2.1.4 has been released. It can be downloaded from
Zope.org at: http://www.zope.org/Products/Zope/2.1.4/

This update prevents the REQUEST object from being traversable 
by web clients. While this feature was useful for debugging, 
Evan Simpson noted a potential security issue that could allow 
web authors to play client scripting tricks and make them appear 
(to the user) to be coming from a Zope site.

While we know of no instances of this happening and the actual 
security of the Zope site's data is not affected by this, we do 
recommend that you upgrade to 2.1.4 to avoid any problems.

Also (I know many of you are already thinking it :), we are 
working on a way to distribute "patch" releases for things 
like this to make updates easier. Until then, for those who 
_really_ just want to patch your installation you can 
replace the file lib/python/ZPublisher/BaseRequest.py in 
your installation with the one from the 2.1.4 distribution 
and restart your Zope instance.


Brian Lloyd        brian@digicool.com
Software Engineer  540.371.6909              
Digital Creations  http://www.digicool.com