dcsimg
Linux Today: Linux News On Internet Time.




More on LinuxToday


Zope security alert and hotfix release

Dec 19, 2000, 19:28 (0 Talkback[s])
(Other stories by Brian Lloyd)
Date: Mon, 18 Dec 2000 12:31:32 -0500
From: Brian Lloyd brian@digicool.com
To: zope-announce@zope.org, zope@zope.org
Subject: [Zope-Annce] ANNOUNCE: Zope security alert and hotfix release
 
Hi all -
 
  
 
  Peter Kelly has brought another potential security issue to
  our attention that is important enough to make a Hotfix
  available for those who allow untrusted users to edit DTML
  on their sites.
 
  The issue involves incorrect protection of a data updating method
  on Image and File objects. Because the method was not correctly
  protected, it was possible for users with DTML editing priveleges
  to update the raw data of a File or Image object via DTML though
  they did not have editing priveleges on the objects themselves.
 
  We recommend that any Zope site running versions of Zope up to and
  including 2.2.4 have this hotfix product installed to mitigate the
  issue if the site is accessible by untrusted users who have DTML
  editing privileges.
 
  http://www.zope.org/Products/Zope/Hotfix_2000-12-18/README.txt
 
  http://www.zope.org/Products/Zope/Hotfix_2000-12-18/Hotfix_2000-12-18.tgz
 
  The hotfix will work for all versions of Zope 2.1.x and higher. A
  Zope 2.2.5 release later this week will contain the fix for this
  issue (as well as all hot fixes to date) and you will be able to
  uninstall the hot fix after upgrading.
 
 
Brian Lloyd        brian@digicool.com
Software Engineer  540.371.6909
Digital Creations  http://www.digicool.com