[petrilliat_private: [Zope] SECURITY ALERT]

From: George Lewis (schvinat_private)
Date: Tue Jan 04 2000 - 14:22:19 PST

  • Next message: danny: "Re: Flaw in 3c59x.c or in Kernel?" 

    ----- Forwarded message from Christopher Petrilli <petrilliat_private> -----

> User-Agent: Microsoft Outlook Express Macintosh Edition - 5.0 (1513)
> Date: Tue, 04 Jan 2000 17:12:46 -0500
> Subject: [Zope] SECURITY ALERT
> From: Christopher Petrilli <petrilliat_private>
> To: <zope-announceat_private>, <zopeat_private>, <zope-devat_private>
> Errors-To: zope-adminat_private
> X-Mailman-Version: 1.0b8
> Precedence: bulk
> List-Id: Users of the Z Object Publishing Environment <zope.zope.org>
> X-BeenThere: zopeat_private
>
> Ok, now that we've got your attention...
>
> Thanks to Kevin Littlejohn's sleuthing, a sizable problem in the security
> machinery in DTML has been brought to our attention and resolved.  Without
> delving too deeply into the obtuseness of the problem, let me first say that
> this is 1) very critical, 2) has an urgent fix.
>
> This problem is of most concern to anyone who opens their Zope site up to
> the general public (a'la zope.org) as it could allow "anonymous" people to
> do things which are most definitely not allowed.  Unfortunately it was
> introduced many releases ago, but to our knowledge this is the first time
> anyone has discovered this problem.
>
> Fixes are contained in the CVS repository as well as:
>
> Zope 2.1.2          http://www.zope.org/Products/Zope/2.1.2/
> Patch to 1.10.3     http://www.zope.org/Products/Zope/2.1.2/1104_patch.html
>
> It is important to note that the patch to 1.10.3 has some performance impact
> on users of this release.  Unfortunately, we are no longer able to provide
> equal levels of support for users of 1.x and 2.x implementations of Zope.
> If there are reasons that your site is unable to transition to 2.x, please
> let us know so that we can work to resolve them in future releases so that
> we can finally retire the old 1.x line of code.
>
> If you have any questions regarding the impact to your site of the changes,
> please send them to supportat_private
>
> Chris
> --
> | Christopher Petrilli        Python Powered        Digital Creations, Inc.
> | petrilliat_private                             http://www.digicool.com
>
>
> _______________________________________________
> Zope maillist  -  Zopeat_private
> http://lists.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope-dev )

----- End forwarded message -----

--
George Lewis
http://schvin.net/

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:26:17 PDT