From: "Brian Lloyd" <brian@digicool.com> To: <zope-announce@zope.org>, <zope@zope.org> Subject: [Zope] ANNOUNCE: Zope security alert and hotfix release Date: Mon, 18 Dec 2000 12:31:32 -0500 Hi all - <Tis the season for hot - fix - es, fa la la la la, waa waa waa waa...> Peter Kelly has brought another potential security issue to our attention that is important enough to make a Hotfix available for those who allow untrusted users to edit DTML on their sites. The issue involves incorrect protection of a data updating method on Image and File objects. Because the method was not correctly protected, it was possible for users with DTML editing priveleges to update the raw data of a File or Image object via DTML though they did not have editing priveleges on the objects themselves. We recommend that any Zope site running versions of Zope up to and including 2.2.4 have this hotfix product installed to mitigate the issue if the site is accessible by untrusted users who have DTML editing privileges. http://www.zope.org/Products/Zope/Hotfix_2000-12-18/README.txt http://www.zope.org/Products/Zope/Hotfix_2000-12-18/Hotfix_2000-12-18.tgz The hotfix will work for all versions of Zope 2.1.x and higher. A Zope 2.2.5 release later this week will contain the fix for this issue (as well as all hot fixes to date) and you will be able to uninstall the hot fix after upgrading. Brian Lloyd brian@digicool.com Software Engineer 540.371.6909 Digital Creations http://www.digicool.com _______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )