|
Vulnerability Z Object Publishing Environment Affected Users of the Z Object Publishing Environment Description Christopher Petrilli posted following. Thanks to Kevin Littlejohn's sleuthing, a sizable problem in the security machinery in DTML has been brought to the attention and resolved. Without delving too deeply into the obtuseness of the problem, let's first say that this is 1) very critical, 2) has an urgent fix. This problem is of most concern to anyone who opens their Zope site up to the general public (a'la zope.org) as it could allow "anonymous" people to do things which are most definitely not allowed. Unfortunately it was introduced many releases ago, but to the knowledge this is the first time anyone has discovered this problem. Solution Fixes are contained in the CVS repository as well as: Zope 2.1.2 http://www.zope.org/Products/Zope/2.1.2/ Patch to 1.10.3 http://www.zope.org/Products/Zope/2.1.2/1104_patch.html It is important to note that the patch to 1.10.3 has some performance impact on users of this release. Unfortunately, we are no longer able to provide equal levels of support for users of 1.x and 2.x implementations of Zope.