[For all ye Zope users out there: please upgrade. Internal escalation of privileges vulnerability. Not distribution-specific -- Raju]
This is an RFC 1153 digest. (1 message) ---------------------------------------------------------------------- Return-Path: <[EMAIL PROTECTED]> Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm Precedence: bulk List-Id: <bugtraq.list-id.securityfocus.com> Message-ID: <[EMAIL PROTECTED]> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3.27i X-PGP-Fingerprint: 3D79 875A 9E33 E7BE E868 7EFA A703 5DDA A7C0 9E2C From: George Lewis <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: [[EMAIL PROTECTED]: [Zope-Annce] Zope Hotfix 2002-03-01 (Ownership Roles Enforcement)] Date: Fri, 1 Mar 2002 21:34:05 +0000 ----- Forwarded message from "Matthew T. Kromer" <[EMAIL PROTECTED]> ----- > From: "Matthew T. Kromer" <[EMAIL PROTECTED]> > User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.8) Gecko/20020204 > X-Accept-Language: en-us > To: [EMAIL PROTECTED] > X-MailScanner: Found to be clean > Subject: [Zope-Annce] Zope Hotfix 2002-03-01 (Ownership Roles Enforcement) > Errors-To: [EMAIL PROTECTED] > X-BeenThere: [EMAIL PROTECTED] > X-Mailman-Version: 2.0.8 (101270) > Precedence: bulk > List-Help: <mailto:[EMAIL PROTECTED]?subject=help> > List-Post: <mailto:[EMAIL PROTECTED]> > List-Subscribe: <http://lists.zope.org/mailman/listinfo/zope-announce>, > <mailto:[EMAIL PROTECTED]?subject=subscribe> > List-Id: Zope Web Application Server Announcements <zope-announce.zope.org> > List-Unsubscribe: <http://lists.zope.org/mailman/listinfo/zope-announce>, > <mailto:[EMAIL PROTECTED]?subject=unsubscribe> > List-Archive: <http://lists.zope.org/pipermail/zope-announce/> > Date: Fri, 01 Mar 2002 16:22:12 -0500 > > > This hotfix addresses an important security issue that may affect some > users of Zope versions 2.2.0 through 2.5.x > > The issue involves the checking of security for objects with proxy > roles. The context of the owner user that created the object with proxy > roles was not being taken into account when determining access to the > object with proxy roles. This flaw could allow users defined in > subfolders of a site with sufficient privileges to access objects at > higher levels in the site that they would not normally be able to access. > > We highly recommend that any Zope site running Zope 2.2.0 through Zope > 2.5.x have this hotfix product installed to mitigate the issue. Zope > 2.5.1 and 2.4.4 will contain a fix for the issue, at which time the > hotfix can be removed. > > > DOWNLOAD > > Download this hotfix from > > > http://www.zope.org/Products/Zope/Hotfix_2002-03-01/Hotfix_2002-03-01.tgz > > -- > Matt Kromer > Zope Corporation http://www.zope.com/ > > > > _______________________________________________ > Zope-Announce maillist - [EMAIL PROTECTED] > http://lists.zope.org/mailman/listinfo/zope-announce > > Zope-Announce for Announcements only - no discussions > > (Related lists - > Users: http://lists.zope.org/mailman/listinfo/zope > Developers: http://lists.zope.org/mailman/listinfo/zope-dev ) ----- End forwarded message ----- -- http://schvin.net/ ------------------------------ End of this Digest ****************** -- Raju Mathur [EMAIL PROTECTED] http://kandalaya.org/ It is the mind that moves ================================================ To subscribe, send email to [EMAIL PROTECTED] with subscribe in subject header To unsubscribe, send email to [EMAIL PROTECTED] with unsubscribe in subject header Archives are available at http://www.mail-archive.com/ilugd%40wpaa.org =================================================
