[24507] in bugtraq
[matt@zope.com: [Zope-Annce] Zope Hotfix 2002-03-01 (Ownership Roles Enforcement)]
daemon@ATHENA.MIT.EDU (George Lewis)
Fri Mar 1 20:41:15 2002
Date: Fri, 1 Mar 2002 21:34:05 +0000
From: George Lewis <schvin@schvin.net>
To: bugtraq@securityfocus.com
Message-ID: <20020301213405.GS30233@aegle.nexus>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
----- Forwarded message from "Matthew T. Kromer" <matt@zope.com> -----
> From: "Matthew T. Kromer" <matt@zope.com>
> User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.8) Gecko/20020204
> X-Accept-Language: en-us
> To: zope-announce@zope.org
> X-MailScanner: Found to be clean
> Subject: [Zope-Annce] Zope Hotfix 2002-03-01 (Ownership Roles Enforcement)
> Errors-To: zope-announce-admin@zope.org
> X-BeenThere: zope-announce@zope.org
> X-Mailman-Version: 2.0.8 (101270)
> Precedence: bulk
> List-Help: <mailto:zope-announce-request@zope.org?subject=help>
> List-Post: <mailto:zope-announce@zope.org>
> List-Subscribe: <http://lists.zope.org/mailman/listinfo/zope-announce>,
> <mailto:zope-announce-request@zope.org?subject=subscribe>
> List-Id: Zope Web Application Server Announcements <zope-announce.zope.org>
> List-Unsubscribe: <http://lists.zope.org/mailman/listinfo/zope-announce>,
> <mailto:zope-announce-request@zope.org?subject=unsubscribe>
> List-Archive: <http://lists.zope.org/pipermail/zope-announce/>
> Date: Fri, 01 Mar 2002 16:22:12 -0500
>
>
> This hotfix addresses an important security issue that may affect some
> users of Zope versions 2.2.0 through 2.5.x
>
> The issue involves the checking of security for objects with proxy
> roles. The context of the owner user that created the object with proxy
> roles was not being taken into account when determining access to the
> object with proxy roles. This flaw could allow users defined in
> subfolders of a site with sufficient privileges to access objects at
> higher levels in the site that they would not normally be able to access.
>
> We highly recommend that any Zope site running Zope 2.2.0 through Zope
> 2.5.x have this hotfix product installed to mitigate the issue. Zope
> 2.5.1 and 2.4.4 will contain a fix for the issue, at which time the
> hotfix can be removed.
>
>
> DOWNLOAD
>
> Download this hotfix from
>
>
> http://www.zope.org/Products/Zope/Hotfix_2002-03-01/Hotfix_2002-03-01.tgz
>
> --
> Matt Kromer
> Zope Corporation http://www.zope.com/
>
>
>
> _______________________________________________
> Zope-Announce maillist - Zope-Announce@zope.org
> http://lists.zope.org/mailman/listinfo/zope-announce
>
> Zope-Announce for Announcements only - no discussions
>
> (Related lists -
> Users: http://lists.zope.org/mailman/listinfo/zope
> Developers: http://lists.zope.org/mailman/listinfo/zope-dev )
----- End forwarded message -----
--
http://schvin.net/
