-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

A vulnerability has been discovered in Zope, where by certain types of
misuse of HTTP GET, an attacker could gain elevated privileges. All
Zope versions up to and including 2.10.2 are affected.

Overview

  This hotfix removes the exploit by mandating that security setting
alterations can only be made through POST requests. This vulnerability
  has been fixed in the Zope 2.8, 2.9 and 2.10 branches and all future
  releases of Zope will include this fix.

  Do note that this patch only affects direct requests to the security
  methods; any 3rd-party code that calls these methods indirectly may
  still be affected.

Hotfix

  We have prepared a hot fix for this problem
  at:

"http://www.zope.org/Products/Zope/Hotfix-2007-03-20/ Hotfix-20070320/", http://www.zope.org/Products/Zope/Hotfix-2007-03-20/ Hotfix-20070320/.

  This hotfix should be installed as soon as possible.

  To install, simply extract the archive into your Products
  directory in your Zope installation.

See: "http://www.zope.org/Products/Zope/Hotfix-2007-03-20/ Hotfix-20070320/README.txt", http://www.zope.org/Products/Zope/Hotfix-2007-03-20/ Hotfix-20070320/README.txt,

  for installation instructions.

- --
Martijn Pieters

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)

iD8DBQFF/54F3xaj2GOvgP0RAt2tAJ9YjecowrNAEx08+6GdxNP4sk4aagCfaODt
aeZE9vqYxwF3ICjrHVcAFNE=
=DnMj
-----END PGP SIGNATURE-----
_______________________________________________
Zope-Announce maillist  -  Zope-Announce@zope.org
http://mail.zope.org/mailman/listinfo/zope-announce

 Zope-Announce for Announcements only - no discussions

(Related lists - Users: http://mail.zope.org/mailman/listinfo/zope
Developers: http://mail.zope.org/mailman/listinfo/zope-dev )

Reply via email to