[Zope-dev] Zope security alert and 2.1.7 update [*important*]

Brian Lloyd Brian@digicool.com
Thu, 15 Jun 2000 17:26:18 -0400


Hello all,


We have recently become aware of an important security issue 
that affects all released Zope versions including the recent 
2.2 beta 1 release.

The issue involves an inadequately protected method in one of 
the base classes in the DocumentTemplate package that could allow 
the contents of DTMLDocuments or DTMLMethods to be changed 
remotely or through DTML code without forcing proper user 
authorization. 

A Zope 2.1.7 release has been made that resolves this issue for 
Zope 2.1.x users. This release is available from Zope.org:
  
  http://www.zope.org/Products/Zope/2.1.7/

A patch is also available if it is not feasible to update your 
Zope installation at this time (the patch is based on 2.1.6):

  http://www.zope.org/Products/Zope/2.1.7/DT_String.diff

If you are evaluating any of the recent 2.2 alpha or beta releases, 
you should apply the patch noted above if your site is accessible 
by untrusted clients. A forthcoming 2.2 beta 2 release will contain 
the fix for this issue.

While we know of no instances of this issue being used to exploit a 
site, we *highly* recommend that any Zope site that is accessible by 
untrusted clients take the appropriate mitigation steps immediately.


Brian Lloyd        brian@digicool.com
Software Engineer  540.371.6909              
Digital Creations  http://www.digicool.com