----- Forwarded message from Christopher Petrilli <petrilliat_private> ----- > User-Agent: Microsoft Outlook Express Macintosh Edition - 5.0 (1513) > Date: Tue, 04 Jan 2000 17:12:46 -0500 > Subject: [Zope] SECURITY ALERT > From: Christopher Petrilli <petrilliat_private> > To: <zope-announceat_private>, <zopeat_private>, <zope-devat_private> > Errors-To: zope-adminat_private > X-Mailman-Version: 1.0b8 > Precedence: bulk > List-Id: Users of the Z Object Publishing Environment <zope.zope.org> > X-BeenThere: zopeat_private > > Ok, now that we've got your attention... > > Thanks to Kevin Littlejohn's sleuthing, a sizable problem in the security > machinery in DTML has been brought to our attention and resolved. Without > delving too deeply into the obtuseness of the problem, let me first say that > this is 1) very critical, 2) has an urgent fix. > > This problem is of most concern to anyone who opens their Zope site up to > the general public (a'la zope.org) as it could allow "anonymous" people to > do things which are most definitely not allowed. Unfortunately it was > introduced many releases ago, but to our knowledge this is the first time > anyone has discovered this problem. > > Fixes are contained in the CVS repository as well as: > > Zope 2.1.2 http://www.zope.org/Products/Zope/2.1.2/ > Patch to 1.10.3 http://www.zope.org/Products/Zope/2.1.2/1104_patch.html > > It is important to note that the patch to 1.10.3 has some performance impact > on users of this release. Unfortunately, we are no longer able to provide > equal levels of support for users of 1.x and 2.x implementations of Zope. > If there are reasons that your site is unable to transition to 2.x, please > let us know so that we can work to resolve them in future releases so that > we can finally retire the old 1.x line of code. > > If you have any questions regarding the impact to your site of the changes, > please send them to supportat_private > > Chris > -- > | Christopher Petrilli Python Powered Digital Creations, Inc. > | petrilliat_private http://www.digicool.com > > > _______________________________________________ > Zope maillist - Zopeat_private > http://lists.zope.org/mailman/listinfo/zope > ** No cross posts or HTML encoding! ** > (Related lists - > http://lists.zope.org/mailman/listinfo/zope-announce > http://lists.zope.org/mailman/listinfo/zope-dev ) ----- End forwarded message ----- -- George Lewis http://schvin.net/
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:26:17 PDT