Hi all - I've updated the security alert (below). Short story: a new "hotfix product" is available on zope.org that will work for all 2.0+ Zopes and has no side effects or upgrade implications for Zope installations. This feels like a much better model for things like this, especially for production sites. ---------------------------------------------------------------- We have recently become aware of an important security issue that affects all released Zope versions including the recent 2.2 beta 1 release. The issue involves an inadequately protected method in one of the base classes in the DocumentTemplate package that could allow the contents of DTMLDocuments or DTMLMethods to be changed remotely or through DTML code without forcing proper user authorization. A hotfix for this issue in the form of an add-on Zope product has been made available on zope.org. To install the hotfix, simply download and install the package as you would any other Zope add-on product (extract it in the root of your Zope installation). Remember to restart your Zope installation for the hotfix to take effect. http://www.zope.org/Products/Zope/Hotfix_06_16_2000/Hotfix_06_16_2000.tg z The hotfix will work for all versions of Zope 2.0 and higher, including the recent 2.2 alpha and beta releases. The forthcoming Zope 2.2 beta 2 release will contain a fix for this issue, and you be able to uninstall the hot fix after upgrading to 2.2. (though nothing bad will happen if you don't uninstall it). Note that the 2.1.7 release that was initially made to address this issue has been pulled in favor of this hotfix product, which will allow managers of Zope sites to address this issue without worrying about other implications of upgrading their installations. While we know of no instances of this issue being used to exploit a site, we *highly* recommend that any Zope site that is accessible by untrusted clients install the 06/16/2000 hotfix product immediately. Brian Lloyd [EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com _______________________________________________ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )