Bugtraq mailing list archives
[matt () zope com: [Zope-Annce] Zope Hotfix 2002-03-01 (Ownership Roles Enforcement)]
From: George Lewis <schvin () schvin net>
Date: Fri, 1 Mar 2002 21:34:05 +0000
----- Forwarded message from "Matthew T. Kromer" <matt () zope com> -----
From: "Matthew T. Kromer" <matt () zope com> User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.8) Gecko/20020204 X-Accept-Language: en-us To: zope-announce () zope org X-MailScanner: Found to be clean Subject: [Zope-Annce] Zope Hotfix 2002-03-01 (Ownership Roles Enforcement) Errors-To: zope-announce-admin () zope org X-BeenThere: zope-announce () zope org X-Mailman-Version: 2.0.8 (101270) Precedence: bulk List-Help: <mailto:zope-announce-request () zope org?subject=help> List-Post: <mailto:zope-announce () zope org> List-Subscribe: <http://lists.zope.org/mailman/listinfo/zope-announce>, <mailto:zope-announce-request () zope org?subject=subscribe> List-Id: Zope Web Application Server Announcements <zope-announce.zope.org> List-Unsubscribe: <http://lists.zope.org/mailman/listinfo/zope-announce>, <mailto:zope-announce-request () zope org?subject=unsubscribe> List-Archive: <http://lists.zope.org/pipermail/zope-announce/> Date: Fri, 01 Mar 2002 16:22:12 -0500 This hotfix addresses an important security issue that may affect some users of Zope versions 2.2.0 through 2.5.x The issue involves the checking of security for objects with proxy roles. The context of the owner user that created the object with proxy roles was not being taken into account when determining access to the object with proxy roles. This flaw could allow users defined in subfolders of a site with sufficient privileges to access objects at higher levels in the site that they would not normally be able to access. We highly recommend that any Zope site running Zope 2.2.0 through Zope 2.5.x have this hotfix product installed to mitigate the issue. Zope 2.5.1 and 2.4.4 will contain a fix for the issue, at which time the hotfix can be removed. DOWNLOAD Download this hotfix from http://www.zope.org/Products/Zope/Hotfix_2002-03-01/Hotfix_2002-03-01.tgz -- Matt Kromer Zope Corporation http://www.zope.com/ _______________________________________________ Zope-Announce maillist - Zope-Announce () zope org http://lists.zope.org/mailman/listinfo/zope-announce Zope-Announce for Announcements only - no discussions (Related lists - Users: http://lists.zope.org/mailman/listinfo/zope Developers: http://lists.zope.org/mailman/listinfo/zope-dev )
----- End forwarded message ----- -- http://schvin.net/
Current thread:
- [matt () zope com: [Zope-Annce] Zope Hotfix 2002-03-01 (Ownership Roles Enforcement)] George Lewis (Mar 01)