Your Daily Source for Apache News and Information  
Breaking News Preferences Contribute Triggers Link Us Search About
Zope security alert and 2.1.7 update
(Jun 16th, 19:54:21 )

From: Brian Lloyd
Subject: [Zope] Zope security alert and 2.1.7 update [*important*]
Date: Thu, 15 Jun 2000 17:26:18 -0400

Hello all,

We have recently become aware of an important security issue that affects all released Zope versions including the recent 2.2 beta 1 release.

The issue involves an inadequately protected method in one of the base classes in the DocumentTemplate package that could allow the contents of DTMLDocuments or DTMLMethods to be changed remotely or through DTML code without forcing proper user authorization.

A Zope 2.1.7 release has been made that resolves this issue for Zope 2.1.x users. This release is available from

A patch is also available if it is not feasible to update your Zope installation at this time (the patch is based on 2.1.6):

If you are evaluating any of the recent 2.2 alpha or beta releases, you should apply the patch noted above if your site is accessible by untrusted clients. A forthcoming 2.2 beta 2 release will contain the fix for this issue.

While we know of no instances of this issue being used to exploit a site, we *highly* recommend that any Zope site that is accessible by untrusted clients take the appropriate mitigation steps immediately.

  Brian Lloyd        
  Software Engineer  540.371.6909
  Digital Creations

Printed from Apache Today (

About Triggers Media Kit Security Triggers Login

All times are recorded in UTC.
Linux is a trademark of Linus Torvalds.
Powered by Linux 2.4, Apache 1.3, and PHP 4
Copyright 2002 INT Media Group, Incorporated All Rights Reserved.
Legal Notices,  Licensing, Reprints, & Permissions,  Privacy Policy.