[Zope] Re: [Zope-dev] Zope security alert and 2.1.7 update [*important*]
Gregor Hoffleit
gregor@hoffleit.de
Fri, 16 Jun 2000 11:43:21 +0200
Brian,
from the announcement, it sounded like the only change from 2.1.6 to 2.1.7
was the fix to DT_String. Zope-2.1.7-src/doc/CHANGES.txt only lists:
Bugs Fixed
- An inadequately protected base class method made DTMLDocuments
and DTMLMethods vulnerable to having their contents changed by
unauthorized users.
But when I diff 2.1.6 and 2.1.7, I get modifications in 29 files, ranging
from MailHost to ZLogger and so on.
I haven't yet groked the patches to 2.1.7 suggested by Adam, but some of
them look like fixes to things that were broken from 2.1.6 to 2.1.7. Judging
from the announcement, I would not have expected that 2.1.7 could break
anything.
Therefore a little plea: Please try to keep the CHANGES.txt accurate and
comprehensive; that's most urgent for security releases like this IMHO: Most
people will install them without much preparation.
thanks,
Gregor
On Thu, Jun 15, 2000 at 05:26:18PM -0400, Brian Lloyd wrote:
> A Zope 2.1.7 release has been made that resolves this issue for
> Zope 2.1.x users. This release is available from Zope.org:
>
> http://www.zope.org/Products/Zope/2.1.7/
>
> A patch is also available if it is not feasible to update your
> Zope installation at this time (the patch is based on 2.1.6):
>
> http://www.zope.org/Products/Zope/2.1.7/DT_String.diff