[mattat_private: [Zope-Annce] Zope Hotfix 2002-03-01 (Ownership Roles Enforcement)]

• Previous message: pete: "Open Security Testing Meth 2.0 released"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

----- Forwarded message from "Matthew T. Kromer" <mattat_private> -----

> From: "Matthew T. Kromer" <mattat_private>
> User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.8) Gecko/20020204
> X-Accept-Language: en-us
> To: zope-announceat_private
> X-MailScanner: Found to be clean
> Subject: [Zope-Annce] Zope Hotfix 2002-03-01 (Ownership Roles Enforcement)
> Errors-To: zope-announce-adminat_private
> X-BeenThere: zope-announceat_private
> X-Mailman-Version: 2.0.8 (101270)
> Precedence: bulk
> List-Help: <mailto:zope-announce-requestat_private?subject=help>
> List-Post: <mailto:zope-announceat_private>
> List-Subscribe: <http://lists.zope.org/mailman/listinfo/zope-announce>,
> 	<mailto:zope-announce-requestat_private?subject=subscribe>
> List-Id: Zope Web Application Server Announcements <zope-announce.zope.org>
> List-Unsubscribe: <http://lists.zope.org/mailman/listinfo/zope-announce>,
> 	<mailto:zope-announce-requestat_private?subject=unsubscribe>
> List-Archive: <http://lists.zope.org/pipermail/zope-announce/>
> Date: Fri, 01 Mar 2002 16:22:12 -0500
> 
> 
> This hotfix addresses an important security issue that may affect some 
> users of Zope versions 2.2.0 through 2.5.x
> 
> The issue involves the checking of security for objects with proxy 
> roles. The context of the owner user that created the object with proxy 
> roles was not being taken into account when determining access to the 
> object with proxy roles. This flaw could allow users defined in 
> subfolders of a site with sufficient privileges to access objects at 
> higher levels in the site that they would not normally be able to access.
> 
> We highly recommend that any Zope site running Zope 2.2.0 through Zope 
> 2.5.x have this hotfix product installed to mitigate the issue. Zope 
> 2.5.1 and 2.4.4 will contain a fix for the issue, at which time the 
> hotfix can be removed.
> 
> 
>      DOWNLOAD
> 
> Download this hotfix from
> 
>    
> http://www.zope.org/Products/Zope/Hotfix_2002-03-01/Hotfix_2002-03-01.tgz
> 
> -- 
> Matt Kromer
> Zope Corporation  http://www.zope.com/ 
> 
> 
> 
> _______________________________________________
> Zope-Announce maillist  -  Zope-Announceat_private
> http://lists.zope.org/mailman/listinfo/zope-announce
> 
>  Zope-Announce for Announcements only - no discussions
> 
> (Related lists - 
> Users: http://lists.zope.org/mailman/listinfo/zope
> Developers: http://lists.zope.org/mailman/listinfo/zope-dev )

----- End forwarded message -----

-- 
http://schvin.net/

• Next message: macdaddyat_private: "Re: Hotline Client Plain password vuln."
• Previous message: pete: "Open Security Testing Meth 2.0 released"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Mar 01 2002 - 17:41:16 PST