[Zope] ANNOUNCE: Zope security alert and hotfix release
Brian Lloyd
brian@digicool.com
Fri, 15 Dec 2000 14:02:08 -0500
Hi all -
A security issue has recently come to our attention (thanks to
Erik Enge for identifying this) that affects Zope versions up to
and including Zope 2.2.4.
The issue involves the computation of local roles. In some situations
the computation was not climbing the correct hierarchy of folders,
sometimes granting local roles inappropriately. This could allow
users with privileges in one folder to gain the same privileges in
another folder.
We *highly* recommend that any Zope site running versions of
Zope up to and including 2.2.4 have this hotfix product installed
to mitigate the issue.
- http://www.zope.org/Products/Zope/Hotfix_2000-12-15/README.txt
-
http://www.zope.org/Products/Zope/Hotfix_2000-12-15/Hotfix_2000-12-15.tgz
The hotfix will work for all versions of Zope 2.2.0 and higher. A
future version of Zope will contain the fix for this
issue, and you will be able to uninstall the hot fix after upgrading.
Note that we will be making a Zope 2.2.5 release early next week
that includes the fix for this issue as well as the issue addressed
by the recent 12/08 hotfix.
Brian Lloyd brian@digicool.com
Software Engineer 540.371.6909
Digital Creations http://www.digicool.com