[Zope-Annce] Updated security alert
Fri, 16 Jun 2000 11:48:04 -0400
Hi all -
I've updated the security alert (below). Short story: a new
"hotfix product" is available on zope.org that will work for
all 2.0+ Zopes and has no side effects or upgrade implications
for Zope installations. This feels like a much better model for
things like this, especially for production sites.
We have recently become aware of an important security issue
that affects all released Zope versions including the recent
2.2 beta 1 release.
The issue involves an inadequately protected method in one of
the base classes in the DocumentTemplate package that could allow
the contents of DTMLDocuments or DTMLMethods to be changed
remotely or through DTML code without forcing proper user
A hotfix for this issue in the form of an add-on Zope product has
been made available on zope.org. To install the hotfix, simply
download and install the package as you would any other Zope add-on
product (extract it in the root of your Zope installation). Remember
to restart your Zope installation for the hotfix to take effect.
The hotfix will work for all versions of Zope 2.0 and higher,
including the recent 2.2 alpha and beta releases. The forthcoming
Zope 2.2 beta 2 release will contain a fix for this issue, and you
be able to uninstall the hot fix after upgrading to 2.2. (though
nothing bad will happen if you don't uninstall it).
Note that the 2.1.7 release that was initially made to address this
issue has been pulled in favor of this hotfix product, which will
allow managers of Zope sites to address this issue without worrying
about other implications of upgrading their installations.
While we know of no instances of this issue being used to exploit a
site, we *highly* recommend that any Zope site that is accessible by
untrusted clients install the 06/16/2000 hotfix product immediately.
Brian Lloyd firstname.lastname@example.org
Software Engineer 540.371.6909
Digital Creations http://www.digicool.com