[Zope-dev] Updated security alert

Brian Lloyd Brian@digicool.com
Fri, 16 Jun 2000 11:48:04 -0400


Hi all -

I've updated the security alert (below). Short story: a new 
"hotfix product" is available on zope.org that will work for 
all 2.0+ Zopes and has no side effects or upgrade implications 
for Zope installations. This feels like a much better model for 
things like this, especially for production sites.


----------------------------------------------------------------


We have recently become aware of an important security issue 
that affects all released Zope versions including the recent 
2.2 beta 1 release.

The issue involves an inadequately protected method in one of 
the base classes in the DocumentTemplate package that could allow 
the contents of DTMLDocuments or DTMLMethods to be changed 
remotely or through DTML code without forcing proper user 
authorization. 

A hotfix for this issue in the form of an add-on Zope product has 
been made available on zope.org. To install the hotfix, simply 
download and install the package as you would any other Zope add-on 
product (extract it in the root of your Zope installation). Remember 
to restart your Zope installation for the hotfix to take effect.

http://www.zope.org/Products/Zope/Hotfix_06_16_2000/Hotfix_06_16_2000.tg
z

The hotfix will work for all versions of Zope 2.0 and higher, 
including the recent 2.2 alpha and beta releases. The forthcoming 
Zope 2.2 beta 2 release will contain a fix for this issue, and you 
be able to uninstall the hot fix after upgrading to 2.2. (though 
nothing bad will happen if you don't uninstall it).

Note that the 2.1.7 release that was initially made to address this 
issue has been pulled in favor of this hotfix product, which will 
allow managers of Zope sites to address this issue without worrying 
about other implications of upgrading their installations.

While we know of no instances of this issue being used to exploit a 
site, we *highly* recommend that any Zope site that is accessible by 
untrusted clients install the 06/16/2000 hotfix product immediately.


Brian Lloyd        brian@digicool.com
Software Engineer  540.371.6909              
Digital Creations  http://www.digicool.com