[Zope] ANNOUNCE: Zope security alert and hotfix release
Hi all - Peter Kelly has brought another potential security issue to our attention that is important enough to make a Hotfix available for those who allow untrusted users to edit DTML on their sites. The issue involves incorrect protection of a data updating method on Image and File objects. Because the method was not correctly protected, it was possible for users with DTML editing priveleges to update the raw data of a File or Image object via DTML though they did not have editing priveleges on the objects themselves. We recommend that any Zope site running versions of Zope up to and including 2.2.4 have this hotfix product installed to mitigate the issue if the site is accessible by untrusted users who have DTML editing privileges. http://www.zope.org/Products/Zope/Hotfix_2000-12-18/README.txt http://www.zope.org/Products/Zope/Hotfix_2000-12-18/Hotfix_2000-12-18.tgz The hotfix will work for all versions of Zope 2.1.x and higher. A Zope 2.2.5 release later this week will contain the fix for this issue (as well as all hot fixes to date) and you will be able to uninstall the hot fix after upgrading. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] ANNOUNCE: Zope security alert and hotfix release
Hi all - A security issue has recently come to our attention (thanks to Erik Enge for identifying this) that affects Zope versions up to and including Zope 2.2.4. The issue involves the computation of local roles. In some situations the computation was not climbing the correct hierarchy of folders, sometimes granting local roles inappropriately. This could allow users with privileges in one folder to gain the same privileges in another folder. We *highly* recommend that any Zope site running versions of Zope up to and including 2.2.4 have this hotfix product installed to mitigate the issue. - http://www.zope.org/Products/Zope/Hotfix_2000-12-15/README.txt - http://www.zope.org/Products/Zope/Hotfix_2000-12-15/Hotfix_2000-12-15.tgz The hotfix will work for all versions of Zope 2.2.0 and higher. A future version of Zope will contain the fix for this issue, and you will be able to uninstall the hot fix after upgrading. Note that we will be making a Zope 2.2.5 release early next week that includes the fix for this issue as well as the issue addressed by the recent 12/08 hotfix. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )