----- Forwarded message from Brian Lloyd <[EMAIL PROTECTED]> ----- > From: Brian Lloyd <[EMAIL PROTECTED]> > To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>, > "'[EMAIL PROTECTED]'" > <[EMAIL PROTECTED]>, > "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> > Subject: [Zope] Zope security alert and 2.1.7 update [*important*] > Date: Thu, 15 Jun 2000 17:26:18 -0400 > X-Mailer: Internet Mail Service (5.5.1960.3) > Errors-To: [EMAIL PROTECTED] > X-Mailman-Version: 1.0b8 > Precedence: bulk > List-Id: Users of the Z Object Publishing Environment <zope.zope.org> > X-BeenThere: [EMAIL PROTECTED] > > Hello all, > > > We have recently become aware of an important security issue > that affects all released Zope versions including the recent > 2.2 beta 1 release. > > The issue involves an inadequately protected method in one of > the base classes in the DocumentTemplate package that could allow > the contents of DTMLDocuments or DTMLMethods to be changed > remotely or through DTML code without forcing proper user > authorization. > > A Zope 2.1.7 release has been made that resolves this issue for > Zope 2.1.x users. This release is available from Zope.org: > > http://www.zope.org/Products/Zope/2.1.7/ > > A patch is also available if it is not feasible to update your > Zope installation at this time (the patch is based on 2.1.6): > > http://www.zope.org/Products/Zope/2.1.7/DT_String.diff > > If you are evaluating any of the recent 2.2 alpha or beta releases, > you should apply the patch noted above if your site is accessible > by untrusted clients. A forthcoming 2.2 beta 2 release will contain > the fix for this issue. > > While we know of no instances of this issue being used to exploit a > site, we *highly* recommend that any Zope site that is accessible by > untrusted clients take the appropriate mitigation steps immediately. > > > Brian Lloyd [EMAIL PROTECTED] > Software Engineer 540.371.6909 > Digital Creations http://www.digicool.com > > > > _______________________________________________ > Zope maillist - [EMAIL PROTECTED] > http://lists.zope.org/mailman/listinfo/zope > ** No cross posts or HTML encoding! ** > (Related lists - > http://lists.zope.org/mailman/listinfo/zope-announce > http://lists.zope.org/mailman/listinfo/zope-dev ) ----- End forwarded message ----- -- George Lewis http://schvin.net/ -------------------------------------------------------------------------- Utk berhenti langganan, kirim email ke [EMAIL PROTECTED] Informasi arsip di http://www.linux.or.id/milis.php3 Pengelola dapat dihubungi lewat [EMAIL PROTECTED]
