[Zope-dev] Zope Hotfix 2002-03-01 (Ownership Roles Enforcement)

Matthew T. Kromer matt@zope.com
Fri, 01 Mar 2002 16:22:12 -0500


This hotfix addresses an important security issue that may affect some 
users of Zope versions 2.2.0 through 2.5.x

The issue involves the checking of security for objects with proxy 
roles. The context of the owner user that created the object with proxy 
roles was not being taken into account when determining access to the 
object with proxy roles. This flaw could allow users defined in 
subfolders of a site with sufficient privileges to access objects at 
higher levels in the site that they would not normally be able to access.

We highly recommend that any Zope site running Zope 2.2.0 through Zope 
2.5.x have this hotfix product installed to mitigate the issue. Zope 
2.5.1 and 2.4.4 will contain a fix for the issue, at which time the 
hotfix can be removed.


      DOWNLOAD

Download this hotfix from

    
http://www.zope.org/Products/Zope/Hotfix_2002-03-01/Hotfix_2002-03-01.tgz

-- 
Matt Kromer
Zope Corporation  http://www.zope.com/