OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: [Briandigicool.com: [Zope] Zope security alert and 2.1.7 update [*important*]]
From: George Lewis (schvinSCHVIN.NET)
Date: Thu Jun 15 2000 - 16:44:52 CDT


----- Forwarded message from Brian Lloyd <Briandigicool.com> -----

> From: Brian Lloyd <Briandigicool.com>
> To: "'zopezope.org'" <zopezope.org>,
> "'zope-devzope.org'"
> <zope-devzope.org>,
> "'zope-announcezope.org'" <zope-announcezope.org>
> Subject: [Zope] Zope security alert and 2.1.7 update [*important*]
> Date: Thu, 15 Jun 2000 17:26:18 -0400
> X-Mailer: Internet Mail Service (5.5.1960.3)
> Errors-To: zope-adminzope.org
> X-Mailman-Version: 1.0b8
> Precedence: bulk
> List-Id: Users of the Z Object Publishing Environment <zope.zope.org>
> X-BeenThere: zopezope.org
>
> Hello all,
>
>
> We have recently become aware of an important security issue
> that affects all released Zope versions including the recent
> 2.2 beta 1 release.
>
> The issue involves an inadequately protected method in one of
> the base classes in the DocumentTemplate package that could allow
> the contents of DTMLDocuments or DTMLMethods to be changed
> remotely or through DTML code without forcing proper user
> authorization.
>
> A Zope 2.1.7 release has been made that resolves this issue for
> Zope 2.1.x users. This release is available from Zope.org:
>
> http://www.zope.org/Products/Zope/2.1.7/
>
> A patch is also available if it is not feasible to update your
> Zope installation at this time (the patch is based on 2.1.6):
>
> http://www.zope.org/Products/Zope/2.1.7/DT_String.diff
>
> If you are evaluating any of the recent 2.2 alpha or beta releases,
> you should apply the patch noted above if your site is accessible
> by untrusted clients. A forthcoming 2.2 beta 2 release will contain
> the fix for this issue.
>
> While we know of no instances of this issue being used to exploit a
> site, we *highly* recommend that any Zope site that is accessible by
> untrusted clients take the appropriate mitigation steps immediately.
>
>
> Brian Lloyd briandigicool.com
> Software Engineer 540.371.6909
> Digital Creations http://www.digicool.com
>
>
>
> _______________________________________________
> Zope maillist - Zopezope.org
> http://lists.zope.org/mailman/listinfo/zope
> ** No cross posts or HTML encoding! **
> (Related lists -
> http://lists.zope.org/mailman/listinfo/zope-announce
> http://lists.zope.org/mailman/listinfo/zope-dev )

----- End forwarded message -----

--
George Lewis
http://schvin.net/