[13226] in bugtraq
[petrilli@digicool.com: [Zope] SECURITY ALERT]
daemon@ATHENA.MIT.EDU (George Lewis)
Tue Jan 4 23:54:08 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <20000104222219.B41650@schvin.net>
Date: Tue, 4 Jan 2000 22:22:19 +0000
Reply-To: George Lewis <schvin@SCHVIN.NET>
From: George Lewis <schvin@SCHVIN.NET>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
----- Forwarded message from Christopher Petrilli <petrilli@digicool.com> -----
> User-Agent: Microsoft Outlook Express Macintosh Edition - 5.0 (1513)
> Date: Tue, 04 Jan 2000 17:12:46 -0500
> Subject: [Zope] SECURITY ALERT
> From: Christopher Petrilli <petrilli@digicool.com>
> To: <zope-announce@zope.org>, <zope@zope.org>, <zope-dev@zope.org>
> Errors-To: zope-admin@zope.org
> X-Mailman-Version: 1.0b8
> Precedence: bulk
> List-Id: Users of the Z Object Publishing Environment <zope.zope.org>
> X-BeenThere: zope@zope.org
>
> Ok, now that we've got your attention...
>
> Thanks to Kevin Littlejohn's sleuthing, a sizable problem in the security
> machinery in DTML has been brought to our attention and resolved. Without
> delving too deeply into the obtuseness of the problem, let me first say that
> this is 1) very critical, 2) has an urgent fix.
>
> This problem is of most concern to anyone who opens their Zope site up to
> the general public (a'la zope.org) as it could allow "anonymous" people to
> do things which are most definitely not allowed. Unfortunately it was
> introduced many releases ago, but to our knowledge this is the first time
> anyone has discovered this problem.
>
> Fixes are contained in the CVS repository as well as:
>
> Zope 2.1.2 http://www.zope.org/Products/Zope/2.1.2/
> Patch to 1.10.3 http://www.zope.org/Products/Zope/2.1.2/1104_patch.html
>
> It is important to note that the patch to 1.10.3 has some performance impact
> on users of this release. Unfortunately, we are no longer able to provide
> equal levels of support for users of 1.x and 2.x implementations of Zope.
> If there are reasons that your site is unable to transition to 2.x, please
> let us know so that we can work to resolve them in future releases so that
> we can finally retire the old 1.x line of code.
>
> If you have any questions regarding the impact to your site of the changes,
> please send them to support@digicool.com
>
> Chris
> --
> | Christopher Petrilli Python Powered Digital Creations, Inc.
> | petrilli@digicool.com http://www.digicool.com
>
>
> _______________________________________________
> Zope maillist - Zope@zope.org
> http://lists.zope.org/mailman/listinfo/zope
> ** No cross posts or HTML encoding! **
> (Related lists -
> http://lists.zope.org/mailman/listinfo/zope-announce
> http://lists.zope.org/mailman/listinfo/zope-dev )
----- End forwarded message -----
--
George Lewis
http://schvin.net/
