[Zope-Annce] ANNOUNCE: Zope security alert and hotfix release

Brian Lloyd brian@digicool.com
Mon, 18 Dec 2000 12:31:32 -0500


Hi all -

  <Tis the season for hot - fix - es, fa la la la la,
   waa waa waa waa...>

  Peter Kelly has brought another potential security issue to
  our attention that is important enough to make a Hotfix
  available for those who allow untrusted users to edit DTML
  on their sites.

  The issue involves incorrect protection of a data updating method
  on Image and File objects. Because the method was not correctly
  protected, it was possible for users with DTML editing priveleges
  to update the raw data of a File or Image object via DTML though
  they did not have editing priveleges on the objects themselves.

  We recommend that any Zope site running versions of Zope up to and
  including 2.2.4 have this hotfix product installed to mitigate the
  issue if the site is accessible by untrusted users who have DTML
  editing privileges.

  http://www.zope.org/Products/Zope/Hotfix_2000-12-18/README.txt

  http://www.zope.org/Products/Zope/Hotfix_2000-12-18/Hotfix_2000-12-18.tgz

  The hotfix will work for all versions of Zope 2.1.x and higher. A
  Zope 2.2.5 release later this week will contain the fix for this
  issue (as well as all hot fixes to date) and you will be able to
  uninstall the hot fix after upgrading.


Brian Lloyd        brian@digicool.com
Software Engineer  540.371.6909
Digital Creations  http://www.digicool.com