Your Daily Source for Apache News and Information  
Breaking News Preferences Contribute Triggers Link Us Search About
Apache Today [Your Apache News Source] To internet.com

Apache HTTPD Links
Apache Project
ApacheCon
The Java Apache Project
The Apache Software Foundation
The Jakarta Project
Apache-Perl Integration Project
Apache XML Project
Apache-Related Projects
The Apache FAQ
PHP Server Side Scripting
Apache Module Registry
  internet.com

Internet News
Internet Investing
Internet Technology
Windows Internet Tech.
Linux/Open Source
Web Developer
ECommerce/Marketing
ISP Resources
ASP Resources
Wireless Internet
Downloads
Internet Resources
Internet Lists
International
EarthWeb
Career Resources

Search internet.com
Advertising Info
Corporate Info
Zope SECURITY ALERT and Zope hotfix release
Mar 9, 2001, 21 :29 UTC (0 Talkback[s]) (598 reads) (Other stories by Brian Lloyd)

Date: Fri, 9 Mar 2001 12:50:31 -0500
From: Brian Lloyd
To: [email protected], [email protected], [email protected]
Subject: [Zope-Annce] SECURITY ALERT and Zope hotfix release [2001-03-08]

Hello all -

An issue has come to our attention (thanks to Randy Kern) that necessitates a Zope hotfix. Hotfix products can be installed to incorporate modifications to Zope at runtime without requiring an immediate installation upgrade. Hotfix products are installed just as you would install any other Zope product.

This hotfix (Hotfix_2001-03-08)addresses an important security issue that affects Zope version 2.3.0 and the current 2.3.1 beta 1 release.

The issue involves an error in the 'aq_inContextOf' method of objects that support acquisition. A recent change to the access validation machinery made this bug begin to affect security restrictions. The bug, with the change to validation, made it possible to access Zope objects via acquisition that a user would not otherwise have access to. This issue could allow users with enough internal knowledge of Zope to perform actions higher in the object hierarchy than they should be able to.

We *highly* recommend that any Zope site running Zope 2.3.0 final or any alpha or beta version of 2.3.0 or 2.3.1 beta 1 have this hotfix product installed to mitigate the issue. Zope 2.3.1 beta 2 will contain a fix for the issue, at which time the hotfix can be removed. Zope versions prior to 2.3.0 are not affected by this issue.

- http://www.zope.org/Products/Zope/Hotfix_2001-03-08/README.txt

- http://www.zope.org/Products/Zope/Hotfix_2001-03-08/Hotfix_2001-03-08.tgz

Brian Lloyd        
Software Engineer  540.371.6909
Digital Creations  http://www.digicool.com

  Current Newswire:
NewsForge: VA spin-off releases first product, aims for profit

Apache 2.0.28 Released as Beta

Covalent Technologies announces industry support for Enterprise Ready Server and Apache 2.0

developer.com: On the Security of PHP, Part 1

Apache/PHP-based Content Management System Release

HyperSpace Communications announces limited release of HyperSpace Accelerator software

Mod_xslt added to Apache Module Registry

SupportWizard broadens Apache support in response to Nimda and Code Red worms

SEWATCH: The Big List of Web Robots

Sun extends SOAP support across Sun ONE integrated product portfolio


No talkbacks posted.
  Home | Search Talkbacks | Customize View 
  Top of Page  
Enter your comments below.
Your Name: Your Email Address:


Subject: CC: [will also send this talkback to an E-Mail address]
Comments:

See our talkback-policy for or guidelines on talkback content.

About Triggers Media Kit Security Triggers Login


All times are recorded in UTC.
Linux is a trademark of Linus Torvalds.
Powered by Linux 2.4, Apache 1.3, and PHP 4
Copyright INT Media Group, Incorporated All Rights Reserved.
Legal Notices,  Licensing, Reprints, & Permissions,  Privacy Policy.
http://www.internet.com/