[Zope-Annce] Zope Hotfix 2002-06-14 Available

Matthew T. Kromer matt@zope.com
Fri, 14 Jun 2002 17:27:45 -0400

  This hotfix addresses an important security issue that affects users 
of Zope versions 2.4.0 through 2.5.1 (or other Zope versions with 
ZCatalog's plug-in index support installed)

The issue involves the security of the indexes of ZCatalog objects. A 
flaw in the security settings of ZCatalog allows anonymous users to call 
arbitrary methods of catalog indexes. The vulnerability also allows 
untrusted code to do the same.

We highly recommend that any Zope site running Zope 2.4.0 through Zope 
2.5.1 have this hotfix product installed to mitigate the issue. Zope 2.6 
will contain a fix for the issue, at which time the hotfix can be removed.

You may obtain this hotfix at:



Matt Kromer
Zope Corporation  http://www.zope.com/