---

Zope security alert and 2.1.7 update

From: Brian Lloyd Brian@digicool.com
To: zope-announce@zope.org
Subject: [Zope] Zope security alert and 2.1.7 update
[*important*]
Date: Thu, 15 Jun 2000 17:26:18 -0400

Hello all,

We have recently become aware of an important security issue
that affects all released Zope versions including the recent 2.2
beta 1 release.

The issue involves an inadequately protected method in one of
the base classes in the DocumentTemplate package that could allow
the contents of DTMLDocuments or DTMLMethods to be changed remotely
or through DTML code without forcing proper user authorization.

A Zope 2.1.7 release has been made that resolves this issue for
Zope 2.1.x users. This release is available from Zope.org:

http://www.zope.org/Products/Zope/2.1.7/

A patch is also available if it is not feasible to update your
Zope installation at this time (the patch is based on 2.1.6):

http://www.zope.org/Products/Zope/2.1.7/DT_String.diff

If you are evaluating any of the recent 2.2 alpha or beta
releases, you should apply the patch noted above if your site is
accessible by untrusted clients. A forthcoming 2.2 beta 2 release
will contain the fix for this issue.

While we know of no instances of this issue being used to
exploit a site, we *highly* recommend that any Zope site that is
accessible by untrusted clients take the appropriate mitigation
steps immediately.


  Brian Lloyd        brian@digicool.com
  Software Engineer  540.371.6909
  Digital Creations  www.digicool.com

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends, & analysis