COMMAND

    Z Object Publishing Environment

SYSTEMS AFFECTED

    Users of the Z Object Publishing Environment

PROBLEM

    Christopher   Petrilli   posted   following.    Thanks   to  Kevin
    Littlejohn's  sleuthing,  a  sizable   problem  in  the   security
    machinery in DTML has been brought to the attention and  resolved.
    Without delving  too deeply  into the  obtuseness of  the problem,
    let's first say that  this is 1) very  critical, 2) has an  urgent
    fix.

    This problem  is of  most concern  to anyone  who opens their Zope
    site up to  the general public  (a'la zope.org) as  it could allow
    "anonymous"  people  to  do  things  which are most definitely not
    allowed.  Unfortunately it  was introduced many releases  ago, but
    to the  knowledge this  is the  first time  anyone has  discovered
    this problem.

SOLUTION

    Fixes are contained in the CVS repository as well as:

        Zope 2.1.2          http://www.zope.org/Products/Zope/2.1.2/
        Patch to 1.10.3     http://www.zope.org/Products/Zope/2.1.2/1104_patch.html

    It  is  important  to  note  that  the  patch  to  1.10.3 has some
    performance impact on  users of this  release.  Unfortunately,  we
    are no longer  able to provide  equal levels of  support for users
    of 1.x and 2.x implementations of Zope.