[Zope] Re: [Zope-dev] Zope security alert and 2.1.7 update [*important*]

Gregor Hoffleit gregor@hoffleit.de
Fri, 16 Jun 2000 11:43:21 +0200


Brian,

from the announcement, it sounded like the only change from 2.1.6 to 2.1.7
was the fix to DT_String. Zope-2.1.7-src/doc/CHANGES.txt only lists:

      Bugs Fixed

        - An inadequately protected base class method made DTMLDocuments 
          and DTMLMethods vulnerable to having their contents changed by 
          unauthorized users.

But when I diff 2.1.6 and 2.1.7, I get modifications in 29 files, ranging
from MailHost to ZLogger and so on.

I haven't yet groked the patches to 2.1.7 suggested by Adam, but some of
them look like fixes to things that were broken from 2.1.6 to 2.1.7. Judging
from the announcement, I would not have expected that 2.1.7 could break
anything.

Therefore a little plea: Please try to keep the CHANGES.txt accurate and
comprehensive; that's most urgent for security releases like this IMHO: Most
people will install them without much preparation.

thanks,
    Gregor


On Thu, Jun 15, 2000 at 05:26:18PM -0400, Brian Lloyd wrote:
> A Zope 2.1.7 release has been made that resolves this issue for 
> Zope 2.1.x users. This release is available from Zope.org:
>   
>   http://www.zope.org/Products/Zope/2.1.7/
> 
> A patch is also available if it is not feasible to update your 
> Zope installation at this time (the patch is based on 2.1.6):
> 
>   http://www.zope.org/Products/Zope/2.1.7/DT_String.diff