From: "Brian Lloyd" <brian@digicool.com> To: <zope-announce@zope.org>, <zope@zope.org> Subject: [Zope] ANNOUNCE: Zope security alert and hotfix release Date: Fri, 15 Dec 2000 14:02:08 -0500 Hi all - A security issue has recently come to our attention (thanks to Erik Enge for identifying this) that affects Zope versions up to and including Zope 2.2.4. The issue involves the computation of local roles. In some situations the computation was not climbing the correct hierarchy of folders, sometimes granting local roles inappropriately. This could allow users with privileges in one folder to gain the same privileges in another folder. We *highly* recommend that any Zope site running versions of Zope up to and including 2.2.4 have this hotfix product installed to mitigate the issue. - http://www.zope.org/Products/Zope/Hotfix_2000-12-15/README.txt - http://www.zope.org/Products/Zope/Hotfix_2000-12-15/Hotfix_2000-12-15.tgz The hotfix will work for all versions of Zope 2.2.0 and higher. A future version of Zope will contain the fix for this issue, and you will be able to uninstall the hot fix after upgrading. Note that we will be making a Zope 2.2.5 release early next week that includes the fix for this issue as well as the issue addressed by the recent 12/08 hotfix. Brian Lloyd brian@digicool.com Software Engineer 540.371.6909 Digital Creations http://www.digicool.com _______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )