[Zope] Zope security alert and 2.1.7 update [*important*]]
(fwd)
Edward Glowacki
glowack2@msu.edu
Thu, 15 Jun 2000 23:21:41 -0400 (EDT)
Found this on BugTraq tonight, thought since we just had our presentation
about Zope, I thought it might be of use to some of our listeners. =)
--
Edward Glowacki glowack2@msu.edu
Network Services
Michigan State University
---------- Forwarded message ----------
Date: Thu, 15 Jun 2000 21:44:52 +0000
From: George Lewis <schvin@SCHVIN.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: [Brian@digicool.com: [Zope] Zope security alert and 2.1.7 update
[*important*]]
----- Forwarded message from Brian Lloyd <Brian@digicool.com> -----
> From: Brian Lloyd <Brian@digicool.com>
> To: "'zope@zope.org'" <zope@zope.org>,
> "'zope-dev@zope.org'"
> <zope-dev@zope.org>,
> "'zope-announce@zope.org'" <zope-announce@zope.org>
> Subject: [Zope] Zope security alert and 2.1.7 update [*important*]
> Date: Thu, 15 Jun 2000 17:26:18 -0400
> X-Mailer: Internet Mail Service (5.5.1960.3)
> Errors-To: zope-admin@zope.org
> X-Mailman-Version: 1.0b8
> Precedence: bulk
> List-Id: Users of the Z Object Publishing Environment <zope.zope.org>
> X-BeenThere: zope@zope.org
>
> Hello all,
>
>
> We have recently become aware of an important security issue
> that affects all released Zope versions including the recent
> 2.2 beta 1 release.
>
> The issue involves an inadequately protected method in one of
> the base classes in the DocumentTemplate package that could allow
> the contents of DTMLDocuments or DTMLMethods to be changed
> remotely or through DTML code without forcing proper user
> authorization.
>
> A Zope 2.1.7 release has been made that resolves this issue for
> Zope 2.1.x users. This release is available from Zope.org:
>
> http://www.zope.org/Products/Zope/2.1.7/
>
> A patch is also available if it is not feasible to update your
> Zope installation at this time (the patch is based on 2.1.6):
>
> http://www.zope.org/Products/Zope/2.1.7/DT_String.diff
>
> If you are evaluating any of the recent 2.2 alpha or beta releases,
> you should apply the patch noted above if your site is accessible
> by untrusted clients. A forthcoming 2.2 beta 2 release will contain
> the fix for this issue.
>
> While we know of no instances of this issue being used to exploit a
> site, we *highly* recommend that any Zope site that is accessible by
> untrusted clients take the appropriate mitigation steps immediately.
>
>
> Brian Lloyd brian@digicool.com
> Software Engineer 540.371.6909
> Digital Creations http://www.digicool.com
>
>
>
> _______________________________________________
> Zope maillist - Zope@zope.org
> http://lists.zope.org/mailman/listinfo/zope
> ** No cross posts or HTML encoding! **
> (Related lists -
> http://lists.zope.org/mailman/listinfo/zope-announce
> http://lists.zope.org/mailman/listinfo/zope-dev )
----- End forwarded message -----