Package: zope2.9 Version: 2.9.6-4 Severity: important Tags: security ----- Forwarded message from Martijn Pieters <[EMAIL PROTECTED]> -----
To: Zope Announce <zope-announce@zope.org> From: Martijn Pieters <[EMAIL PROTECTED]> Date: Tue, 20 Mar 2007 09:40:30 +0100 Subject: [Zope-Annce] Hotfix for cross-site scripting vulnerability A vulnerability has been discovered in Zope, where by certain types of misuse of HTTP GET, an attacker could gain elevated privileges. All Zope versions up to and including 2.10.2 are affected. Overview This hotfix removes the exploit by mandating that security setting alterations can only be made through POST requests. This vulnerability has been fixed in the Zope 2.8, 2.9 and 2.10 branches and all future releases of Zope will include this fix. Do note that this patch only affects direct requests to the security methods; any 3rd-party code that calls these methods indirectly may still be affected. Hotfix We have prepared a hot fix for this problem at: "http://www.zope.org/Products/Zope/Hotfix-2007-03-20/ Hotfix-20070320/", http://www.zope.org/Products/Zope/Hotfix-2007-03-20/ Hotfix-20070320/. This hotfix should be installed as soon as possible. To install, simply extract the archive into your Products directory in your Zope installation. See: "http://www.zope.org/Products/Zope/Hotfix-2007-03-20/ Hotfix-20070320/README.txt", http://www.zope.org/Products/Zope/Hotfix-2007-03-20/ Hotfix-20070320/README.txt, for installation instructions. ----- End forwarded message ----- -- But Captain -- the engines can't take this much longer!
signature.asc
Description: Digital signature
