Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

[petrilli () digicool com: [Zope] SECURITY ALERT]

From: schvin () SCHVIN NET (George Lewis)
Date: Tue, 4 Jan 2000 22:22:19 +0000

----- Forwarded message from Christopher Petrilli <petrilli () digicool com> -----


User-Agent: Microsoft Outlook Express Macintosh Edition - 5.0 (1513)
Date: Tue, 04 Jan 2000 17:12:46 -0500
Subject: [Zope] SECURITY ALERT
From: Christopher Petrilli <petrilli () digicool com>
To: <zope-announce () zope org>, <zope () zope org>, <zope-dev () zope org>
Errors-To: zope-admin () zope org
X-Mailman-Version: 1.0b8
Precedence: bulk
List-Id: Users of the Z Object Publishing Environment <zope.zope.org>
X-BeenThere: zope () zope org

Ok, now that we've got your attention...

Thanks to Kevin Littlejohn's sleuthing, a sizable problem in the security
machinery in DTML has been brought to our attention and resolved.  Without
delving too deeply into the obtuseness of the problem, let me first say that
this is 1) very critical, 2) has an urgent fix.

This problem is of most concern to anyone who opens their Zope site up to
the general public (a'la zope.org) as it could allow "anonymous" people to
do things which are most definitely not allowed.  Unfortunately it was
introduced many releases ago, but to our knowledge this is the first time
anyone has discovered this problem.

Fixes are contained in the CVS repository as well as:

Zope 2.1.2          http://www.zope.org/Products/Zope/2.1.2/
Patch to 1.10.3     http://www.zope.org/Products/Zope/2.1.2/1104_patch.html

It is important to note that the patch to 1.10.3 has some performance impact
on users of this release.  Unfortunately, we are no longer able to provide
equal levels of support for users of 1.x and 2.x implementations of Zope.
If there are reasons that your site is unable to transition to 2.x, please
let us know so that we can work to resolve them in future releases so that
we can finally retire the old 1.x line of code.

If you have any questions regarding the impact to your site of the changes,
please send them to support () digicool com

Chris
--
| Christopher Petrilli        Python Powered        Digital Creations, Inc.
| petrilli () digicool com                             http://www.digicool.com


_______________________________________________
Zope maillist  -  Zope () zope org
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists -
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )


----- End forwarded message -----

--
George Lewis
http://schvin.net/
Previous By Date Next
Previous By Thread Next

Current thread: