[18324] in bugtraq
Re: Zope DTML Role Issue
daemon@ATHENA.MIT.EDU (Andreas Hasenack)
Fri Dec 22 15:09:38 2000
Mail-Followup-To: Andreas Hasenack <andreas@conectiva.com.br>,
BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-Id: <20001222094221.F13751@conectiva.com.br>
Date: Fri, 22 Dec 2000 09:42:21 -0200
Reply-To: Andreas Hasenack <andreas@CONECTIVA.COM.BR>
From: Andreas Hasenack <andreas@CONECTIVA.COM.BR>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.GSO.4.30.0012220020340.14762-100000@mail>; from
flynn@SECURITYFOCUS.COM on Fri, Dec 22, 2000 at 12:26:37AM -0800
Em Fri, Dec 22, 2000 at 12:26:37AM -0800, Hal Flynn escreveu:
> For those of you that haven't seen it, this is the advisory that came
> across the zope list regarding the DTML role issue.
>
> *** Begin Advisory ***
>
> Brian Lloyd brian@digicool.com
> Fri, 8 Dec 2000 15:48:52 -0500
>
>
> Hi all,
>
> Aleksander Salwa has brought a security issue to our attention
> that affects all Zope versions up to and including Zope 2.2.4.
(snip)
> o http://www.zope.org/Products/Zope/Hotfix_2000-12-08/Hotfix_2000-12-08.tgz
>
> We *highly* recommend that any Zope site running versions of
> Zope up to and including 2.2.4 have this hotfix product installed
> to mitigate the issue.
The README (and the advisory, which you can still find at
http://www.zope.org/ZopeNews?query_start=11 around the middle of
the page) has been updated to say that only Zope-2.2.0 and up
are affected, which was not exactly clear from the original advisory.
http://www.zope.org/Products/Zope/Hotfix_2000-12-08/README.txt
