COMMAND

    DocumentTemplate

SYSTEMS AFFECTED

    Conectiva Linux 4.2, 5.0

PROBLEM

    The issue involves an inadequately protected method in one of  the
    base classes in the DocumentTemplate package that could allow  the
    contents of +DTMLDocuments or  DTMLMethods to be changed  remotely
    or through DTML code without forcing proper user authorization.

SOLUTION

    A Zope 2.1.7  release has been  made that resolves  this issue for
    Zope 2.1.x users.  This release is available from Zope.org:

        http://www.zope.org/Products/Zope/2.1.7/

    A patch is  also available if  it is not  feasible to update  your
    Zope installation at this time (the patch is based on 2.1.6):

        http://www.zope.org/Products/Zope/2.1.7/DT_String.diff

    If  you  are  evaluating  any  of  the  recent  2.2  alpha or beta
    releases, you should apply the  patch noted above if your  site is
    accessible by untrusted clients.  A forthcoming 2.2 beta 2 release
    will contain the fix for this issue.

    Direct download links to updated packages for Conectiva Linux:

        ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/i386/Zope-2.1.7-1cl.i386.rpm
        ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/i386/Zope-components-2.1.7-1cl.i386.rpm
        ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/i386/Zope-core-2.1.7-1cl.i386.rpm
        ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/i386/Zope-pcgi-2.1.7-1cl.i386.rpm
        ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/i386/Zope-services-2.1.7-1cl.i386.rpm
        ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/i386/Zope-zpublisher-2.1.7-1cl.i386.rpm
        ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/i386/Zope-ztemplates-2.1.7-1cl.i386.rpm

    Direct link to the source package

        ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/blahblahblah.src.rpm

    For Red Hat, see:

        ftp://ftp.redhat.com/pub/redhat/powertools/6.2/

    After you  have upgraded  to Zope-2.1.2-5  install the Zope-Hotfix
    package. To install the update, use this command:

        rpm -Uvh Zope-Hotfix-06_16_2000-1.noarch.rpm

    Once the Zope-Hotfix package is installed, restart Zope.

    RPMs required:

        ftp://updates.redhat.com/powertools/6.2/noarch/Zope-Hotfix-06_16_2000-1.noarch.rpm
        ftp://updates.redhat.com/powertools/6.2/SRPMS/Zope-Hotfix-06_16_2000-1.src.rpm

    For Linux-Mandrake:

        Linux-Mandrake 7.1: 7.1/RPMS/Zope-2.1.6-1mdk.i586.rpm
                            7.1/RPMS/Zope-components-2.1.6-1mdk.i586.rpm
                            7.1/RPMS/Zope-core-2.1.6-1mdk.i586.rpm
                            7.1/RPMS/Zope-pcgi-2.1.6-1mdk.i586.rpm
                            7.1/RPMS/Zope-services-2.1.6-1mdk.i586.rpm
                            7.1/RPMS/Zope-zpublisher-2.1.6-1mdk.i586.rpm
                            7.1/RPMS/Zope-zserver-2.1.6-1mdk.i586.rpm
                            7.1/RPMS/Zope-ztemplates-2.1.6-1mdk.i586.rpm
                            7.1/SRPMS/Zope-2.1.6-1mdk.src.rpm