Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

[Brian () digicool com: [Zope] Zope security alert and 2.1.7 update [*important*]]

From: schvin () SCHVIN NET (George Lewis)
Date: Thu, 15 Jun 2000 21:44:52 +0000

----- Forwarded message from Brian Lloyd <Brian () digicool com> -----


From: Brian Lloyd <Brian () digicool com>
To: "'zope () zope org'" <zope () zope org>,
        "'zope-dev () zope org'"
       <zope-dev () zope org>,
        "'zope-announce () zope org'" <zope-announce () zope org>
Subject: [Zope] Zope security alert and 2.1.7 update [*important*]
Date: Thu, 15 Jun 2000 17:26:18 -0400
X-Mailer: Internet Mail Service (5.5.1960.3)
Errors-To: zope-admin () zope org
X-Mailman-Version: 1.0b8
Precedence: bulk
List-Id: Users of the Z Object Publishing Environment <zope.zope.org>
X-BeenThere: zope () zope org

Hello all,


We have recently become aware of an important security issue
that affects all released Zope versions including the recent
2.2 beta 1 release.

The issue involves an inadequately protected method in one of
the base classes in the DocumentTemplate package that could allow
the contents of DTMLDocuments or DTMLMethods to be changed
remotely or through DTML code without forcing proper user
authorization.

A Zope 2.1.7 release has been made that resolves this issue for
Zope 2.1.x users. This release is available from Zope.org:

  http://www.zope.org/Products/Zope/2.1.7/

A patch is also available if it is not feasible to update your
Zope installation at this time (the patch is based on 2.1.6):

  http://www.zope.org/Products/Zope/2.1.7/DT_String.diff

If you are evaluating any of the recent 2.2 alpha or beta releases,
you should apply the patch noted above if your site is accessible
by untrusted clients. A forthcoming 2.2 beta 2 release will contain
the fix for this issue.

While we know of no instances of this issue being used to exploit a
site, we *highly* recommend that any Zope site that is accessible by
untrusted clients take the appropriate mitigation steps immediately.


Brian Lloyd        brian () digicool com
Software Engineer  540.371.6909
Digital Creations  http://www.digicool.com



_______________________________________________
Zope maillist  -  Zope () zope org
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists -
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )


----- End forwarded message -----

--
George Lewis
http://schvin.net/
Previous By Date Next
Previous By Thread Next

Current thread: