Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Bugtraq: [petrilli@digicool.com: [Zope] SECURITY ALERT]

[petrilli@digicool.com: [Zope] SECURITY ALERT]

From: George Lewis <schvin_at_SCHVIN.NET>
Date: Tue, 4 Jan 2000 22:22:19 +0000

----- Forwarded message from Christopher Petrilli <petrilli_at_digicool.com> -----

> User-Agent: Microsoft Outlook Express Macintosh Edition - 5.0 (1513)
> Date: Tue, 04 Jan 2000 17:12:46 -0500
> Subject: [Zope] SECURITY ALERT
> From: Christopher Petrilli <petrilli_at_digicool.com>
> To: <zope-announce_at_zope.org>, <zope_at_zope.org>, <zope-dev_at_zope.org>
> Errors-To: zope-admin_at_zope.org
> X-Mailman-Version: 1.0b8
> Precedence: bulk
> List-Id: Users of the Z Object Publishing Environment <zope.zope.org>
> X-BeenThere: zope_at_zope.org
>
> Ok, now that we've got your attention...
>
> Thanks to Kevin Littlejohn's sleuthing, a sizable problem in the security
> machinery in DTML has been brought to our attention and resolved. Without
> delving too deeply into the obtuseness of the problem, let me first say that
> this is 1) very critical, 2) has an urgent fix.
>
> This problem is of most concern to anyone who opens their Zope site up to
> the general public (a'la zope.org) as it could allow "anonymous" people to
> do things which are most definitely not allowed. Unfortunately it was
> introduced many releases ago, but to our knowledge this is the first time
> anyone has discovered this problem.
>
> Fixes are contained in the CVS repository as well as:
>
> Zope 2.1.2 http://www.zope.org/Products/Zope/2.1.2/
> Patch to 1.10.3 http://www.zope.org/Products/Zope/2.1.2/1104_patch.html
>
> It is important to note that the patch to 1.10.3 has some performance impact
> on users of this release. Unfortunately, we are no longer able to provide
> equal levels of support for users of 1.x and 2.x implementations of Zope.
> If there are reasons that your site is unable to transition to 2.x, please
> let us know so that we can work to resolve them in future releases so that
> we can finally retire the old 1.x line of code.
>
> If you have any questions regarding the impact to your site of the changes,
> please send them to support_at_digicool.com
>
> Chris
> --
> | Christopher Petrilli Python Powered Digital Creations, Inc.
> | petrilli@digicool.com http://www.digicool.com
>
>
> _______________________________________________
> Zope maillist - Zope_at_zope.org
> http://lists.zope.org/mailman/listinfo/zope
> ** No cross posts or HTML encoding! **
> (Related lists -
> http://lists.zope.org/mailman/listinfo/zope-announce
> http://lists.zope.org/mailman/listinfo/zope-dev )

----- End forwarded message ----- 

--
George Lewis
http://schvin.net/
Received on Jan 04 2000
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]