Your Daily Source for Apache News and Information  
Breaking News Preferences Contribute Triggers Link Us Search About
Apache Today [Your Apache News Source] To internet.com

Apache HTTPD Links
The Apache Software Foundation
Apache Module Registry
The Jakarta Project
Apache XML Project
The Apache FAQ
Apache Project
Apache-Perl Integration Project
The Java Apache Project
Apache-Related Projects
ApacheCon
PHP Server Side Scripting
The Linux Channel at internet.com
Linux Today
Enterprise Linux Today
Linux Apps
Apache Today
PHPBuilder
BSD Today
Linux Central
All Linux Devices
Linux Start
BSD Central
Linux Programming
Just Linux
Linuxnewbie.org
Linux Planet
SITE DESCRIPTIONS
Zope security alert and 2.1.7 update
Jun 16, 2000, 19 :54 UTC (0 Talkback[s]) (608 reads) (Other stories by Brian Lloyd)

From: Brian Lloyd
To: zope-announce@zope.org
Subject: [Zope] Zope security alert and 2.1.7 update [*important*]
Date: Thu, 15 Jun 2000 17:26:18 -0400

Hello all,

We have recently become aware of an important security issue that affects all released Zope versions including the recent 2.2 beta 1 release.

The issue involves an inadequately protected method in one of the base classes in the DocumentTemplate package that could allow the contents of DTMLDocuments or DTMLMethods to be changed remotely or through DTML code without forcing proper user authorization.

A Zope 2.1.7 release has been made that resolves this issue for Zope 2.1.x users. This release is available from Zope.org:

http://www.zope.org/Products/Zope/2.1.7/

A patch is also available if it is not feasible to update your Zope installation at this time (the patch is based on 2.1.6):

http://www.zope.org/Products/Zope/2.1.7/DT_String.diff

If you are evaluating any of the recent 2.2 alpha or beta releases, you should apply the patch noted above if your site is accessible by untrusted clients. A forthcoming 2.2 beta 2 release will contain the fix for this issue.

While we know of no instances of this issue being used to exploit a site, we *highly* recommend that any Zope site that is accessible by untrusted clients take the appropriate mitigation steps immediately.


  Brian Lloyd        
  Software Engineer  540.371.6909
  Digital Creations  www.digicool.com

  Current Newswire:
NewsForge: VA spin-off releases first product, aims for profit

Apache 2.0.28 Released as Beta

Covalent Technologies announces industry support for Enterprise Ready Server and Apache 2.0

developer.com: On the Security of PHP, Part 1

Apache/PHP-based Content Management System Release

HyperSpace Communications announces limited release of HyperSpace Accelerator software

Mod_xslt added to Apache Module Registry

SupportWizard broadens Apache support in response to Nimda and Code Red worms

SEWATCH: The Big List of Web Robots

Sun extends SOAP support across Sun ONE integrated product portfolio


No talkbacks posted.
  Home | Search Talkbacks | Customize View 
  Top of Page  
Enter your comments below.
Your Name: Your Email Address:


Subject: CC: [will also send this talkback to an E-Mail address]
Comments:

See our talkback-policy for or guidelines on talkback content.

About Triggers Media Kit Security Triggers Login


All times are recorded in UTC.
Linux is a trademark of Linus Torvalds.
Powered by Linux 2.4, Apache 1.3, and PHP 4
Copyright INT Media Group, Incorporated All Rights Reserved.
Legal Notices,  Licensing, Reprints, & Permissions,  Privacy Policy.
http://www.internet.com/