Hi all -
A security issue has recently come to our attention (thanks to
Erik Enge for identifying this) that affects Zope versions up to
and including Zope 2.2.4.
The issue involves the computation of local roles. In some situations
the computation was not climbing the correct hierarchy of folders,
sometimes granting local roles inappropriately. This could allow
users with privileges in one folder to gain the same privileges in
another folder.
We *highly* recommend that any Zope site running versions of
Zope up to and including 2.2.4 have this hotfix product installed
to mitigate the issue.
- http://www.zope.org/Products/Zope/Hotfix_2000-12-15/README.txt
-
http://www.zope.org/Products/Zope/Hotfix_2000-12-15/Hotfix_2000-12-15.tgz
The hotfix will work for all versions of Zope 2.2.0 and higher. A
future version of Zope will contain the fix for this
issue, and you will be able to uninstall the hot fix after upgrading.
Note that we will be making a Zope 2.2.5 release early next week
that includes the fix for this issue as well as the issue addressed
by the recent 12/08 hotfix.
Brian Lloyd [EMAIL PROTECTED]
Software Engineer 540.371.6909
Digital Creations http://www.digicool.com
_______________________________________________
Zope maillist - [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope-dev )