[Zope] Zope 2.1.5 release and *security update*

Brian Lloyd Brian@digicool.com
Fri, 17 Mar 2000 17:06:51 -0500 

Hi all,

Zope 2.1.5 has been released - you can download it from
the usual place on Zope.org:

http://www.zope.org/Products/Zope/2.1.5/


This release fixes two fairly important security issues 
that have recently come to our attention:

  o It was possible for a Zope user with a fair amount of Zope 
    zen and permission to create DTML documents and Folders
    to circumvent the security machinery within DTML in certain 
    situations, possibly giving the user the ability to use 
    resources that he wouldn't otherwise be able to access via 
    DTML.

  o It also came to our attention that the DTML code in 
    ZSQLMethod objects was not subject to the same security
    constraints as the DTML code in DTMLMethods and DTML 
    Documents.

The 2.1.5 release fixes both of these issues and we highly 
recommend that you upgrade, especially if you use Zope for 
sites that allow untrusted users to create Folders and DTML 
Documents or DTML Methods.

The release also includes a number of recent bug fixes, 
including the problem in TimeStamp objects that caused 
the bobobase_modification_time() of Zope objects to 
appear to be a day behind. Note that this release contains
two binary changes, so those running Zope from the source 
release will need to rebuild the Zope extensions after 
applying the update. The fixes are also available in CVS 
and binaries will need to be rebuilt after the update for 
those of you using CVS.

Note that with the 2.1.5 release we will also be releasing
"diff" updates as .tgz files that will let you easily 
upgrade an existing 2.1.x site. These updates are available 
for those currently using the 2.1.x source release or the
2.1.x binary releases for either solaris or linux (diff 
releases are not available for win32 for now).

To apply a differential update to your site:

  o download the appropriate .tgz file from zope.org
  o shutdown your Zope process
  o copy the .tgz to your Zope directory and extract it
  o run w_pcgi or wo_pcgi *if you are not using a binary release*
  o restart your process




Brian Lloyd        brian@digicool.com
Software Engineer  540.371.6909              
Digital Creations  http://www.digicool.com