[Zope-Annce] ANNOUNCE: Zope security alert and hotfix release

Brian Lloyd brian@digicool.com
Fri, 15 Dec 2000 14:02:08 -0500


Hi all -

  A security issue has recently come to our attention (thanks to
  Erik Enge for identifying this) that affects Zope versions up to
  and including Zope 2.2.4.

  The issue involves the computation of local roles.  In some situations
  the computation was not climbing the correct hierarchy of folders,
  sometimes granting local roles inappropriately.  This could allow
  users with privileges in one folder to gain the same privileges in
  another folder.

  We *highly* recommend that any Zope site running versions of
  Zope up to and including 2.2.4  have this hotfix product installed
  to mitigate the issue.

  - http://www.zope.org/Products/Zope/Hotfix_2000-12-15/README.txt

  -
http://www.zope.org/Products/Zope/Hotfix_2000-12-15/Hotfix_2000-12-15.tgz

  The hotfix will work for all versions of Zope 2.2.0 and higher. A
  future version of Zope will contain the fix for this
  issue, and you will be able to uninstall the hot fix after upgrading.

  Note that we will be making a Zope 2.2.5 release early next week
  that includes the fix for this issue as well as the issue addressed
  by the recent 12/08 hotfix.


Brian Lloyd        brian@digicool.com
Software Engineer  540.371.6909
Digital Creations  http://www.digicool.com