[Zope] Re: [Zope-Annce] ANNOUNCE: Zope security alert and hotfix release
On Fri, Dec 15, 2000 at 02:02:08PM -0500, Brian Lloyd wrote: A security issue has recently come to our attention (thanks to Erik Enge for identifying this) that affects Zope versions up to and including Zope 2.2.4. ... The hotfix will work for all versions of Zope 2.2.0 and higher. A future version of Zope will contain the fix for this issue, and you will be able to uninstall the hot fix after upgrading. This seems to imply that 2.1.6 is vulnerable as well, but that this Hotfix won't work, and that no fix exists. Is that correct, or is the fix simply not tested with 2.1.6 ? Gregor ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] Re: ANNOUNCE: Zope security alert and hotfix release
The hotfix will work for all versions of Zope 2.2.0 and higher. A future version of Zope will contain the fix for this issue, and you will be able to uninstall the hot fix after upgrading. This seems to imply that 2.1.6 is vulnerable as well, but that this Hotfix won't work, and that no fix exists. Is that correct, or is the fix simply not tested with 2.1.6 ? Gregor Sorry - 2.1.6 _is_ vulnerable, and the Hotfix will work for 2.1.6. I'll update that README. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] Re: ANNOUNCE: Zope security alert and hotfix release
On Mon, Dec 18, 2000 at 10:30:56AM -0500, Brian Lloyd wrote: The hotfix will work for all versions of Zope 2.2.0 and higher. A future version of Zope will contain the fix for this issue, and you will be able to uninstall the hot fix after upgrading. This seems to imply that 2.1.6 is vulnerable as well, but that this Hotfix won't work, and that no fix exists. Is that correct, or is the fix simply not tested with 2.1.6 ? Gregor Sorry - 2.1.6 _is_ vulnerable, and the Hotfix will work for 2.1.6. I'll update that README. Thanks! Gregor ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] ANNOUNCE: Zope security alert and hotfix release
Hi all - Tis the season for hot - fix - es, fa la la la la, waa waa waa waa... Peter Kelly has brought another potential security issue to our attention that is important enough to make a Hotfix available for those who allow untrusted users to edit DTML on their sites. The issue involves incorrect protection of a data updating method on Image and File objects. Because the method was not correctly protected, it was possible for users with DTML editing priveleges to update the raw data of a File or Image object via DTML though they did not have editing priveleges on the objects themselves. We recommend that any Zope site running versions of Zope up to and including 2.2.4 have this hotfix product installed to mitigate the issue if the site is accessible by untrusted users who have DTML editing privileges. http://www.zope.org/Products/Zope/Hotfix_2000-12-18/README.txt http://www.zope.org/Products/Zope/Hotfix_2000-12-18/Hotfix_2000-12-18.tgz The hotfix will work for all versions of Zope 2.1.x and higher. A Zope 2.2.5 release later this week will contain the fix for this issue (as well as all hot fixes to date) and you will be able to uninstall the hot fix after upgrading. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] SECURITY alert and hotfix release
On Fri, Dec 08, 2000 at 05:40:13PM -0500, Shane Hathaway wrote: AFAICT 2.1.6 is not vulnerable. Verifying this on our server, this turns out to be quite correct; Zope 2.1.6 does not demonstrate the problem repaired by the hotfix. --amk ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] SECURITY alert and hotfix release
Hi all, Aleksander Salwa has brought a security issue to our attention that affects all Zope versions up to and including Zope 2.2.4. We have released a Hotfix product to address the issue that can be downloaded from zope.org. (Thanks to Aleksander for finding this and to Shane Hathaway for his quick response in resolving it!) The issue involves security registration of "legacy" names for certain object constructors such as the constructors for DTML Method objects. Security was not being applied correctly for the legacy names, making it possible to call those constructors without the permissions that should have been required. This issue could allow anonymous users with enough internal knowledge of Zope to instantiate new DTML Method instances through the Web. The hotfix for this issue is available on the zope.org web site: o http://www.zope.org/Products/Zope/Hotfix_2000-12-08/Hotfix_2000-12-08.tgz We *highly* recommend that any Zope site running versions of Zope up to and including 2.2.4 have this hotfix product installed to mitigate the issue. The hotfix will work for all versions of Zope 2.2.0 and higher. A future version of Zope will contain the fix for this issue, and you will be able to uninstall the hot fix after upgrading. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )