[Zope] SECURITY: Hotfix 2002-04-15

Lennart Regebro lennart@torped.se
Tue, 16 Apr 2002 19:28:41 +0200


You unzip/untar it in the Zope directory and restart the server.

----- Original Message -----
From: "Granzow, Doug (NCI)" <granzowd@mail.nih.gov>
To: "'Brian Lloyd'" <brian@zope.com>; <zope@zope.org>
Sent: Tuesday, April 16, 2002 7:05 PM
Subject: RE: [Zope] SECURITY: Hotfix 2002-04-15


> How do you install a hotfix?  The README says "Hotfix products are
installed
> just as you would install any other Zope product." which is totally
> meaningless to me.  How do you "install any other Zope product."?  How do
I
> then confirm it is installed?  Can we have some slightly more descriptive
> documentation, especially for something as important as hotfixes?
>
> -----Original Message-----
> From: Brian Lloyd [mailto:brian@zope.com]
> Sent: Monday, April 15, 2002 4:24 PM
> To: zope-announce@zope.org; zope@zope.org
> Subject: [Zope] SECURITY: Hotfix 2002-04-15
>
>
>
>   This hotfix addresses an important security issue that may affect
>   some users of Zope versions 2.0 through 2.5.1 b1.
>
>   The issue involves a vulnerability involving "through the web code"
>   inadvertently allowing an untrusted user to remotely shut down a
>   Zope server by allowing the user to inject special headers into the
>   response.  If you allow untrusted users to write "through the web"
>   code like Python Scripts, DTML Methods, or Page Templates, your Zope
>   server is vulnerable.
>
>   We highly recommend that any Zope site have this hotfix product
>   installed to mitigate the issue. Zope 2.5.1b2 and 2.4.4b2 as
>   well as subsequent Zope release versions will contain a fix for the
>   issue, at which time the hotfix can be removed.
>
>     http://www.zope.org/Products/Zope/Hotfix_2002-04-15/README.txt
>
>
> http://www.zope.org/Products/Zope/Hotfix_2002-04-15/Hotfix_2002-04-15.tgz
>
>
>
> Brian Lloyd        brian@zope.com
> V.P. Engineering   540.361.1716
> Zope Corporation   http://www.zope.com
>
>
>
> _______________________________________________
> Zope maillist  -  Zope@zope.org
> http://lists.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope-dev )
>
>
> _______________________________________________
> Zope maillist  -  Zope@zope.org
> http://lists.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope-dev )
>
>