COMMAND

    Zope

SYSTEMS AFFECTED

    Zope

PROBLEM

    There are issues in the getRoles method of user objects  contained
    in the default UserFolder implementation.  Users with the  ability
    to edit DTML could arrange to give themselves extra roles for  the
    duration of a single request by mutating the roles list as a  part
    of the request processing.

SOLUTION

    Users of Red Hat Powertools 6.1 who have not upgraded Zope to  the
    version of Zope released in Red Hat Powertools 6.2 (2.1.2-5)  need
    to do so prior to installing this Zope update.  The Zope  packages
    from 6.2 are located at:

        ftp://ftp.redhat.com/pub/redhat/powertools/6.2/

    After you  have upgraded  to Zope-2.1.2-5  install the Zope-Hotfix
    package.  To install the update, use this command:

        rpm -Uvh Zope-Hotfix-DTML-08_17_2000-1.noarch.rpm

    Once the Zope-Hotfix package is installed, restart Zope.

    Debian 2.1 (slink)  did not include  zope, and is  not vulnerable.
    The widely-used Debian 2.2 (potato) pre-release does include  zope
    and is vulnerable to this issue.   A fixed package for Debian  2.2
    (potato) is available in zope 2.1.6-5.1.

    For Conectiva Linux:

        ftp://atualizacoes.conectiva.com.br/4.2/SRPMS/Zope-2.1.7-6cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/4.2/i386/Zope-2.1.7-6cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/4.2/i386/Zope-components-2.1.7-6cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/4.2/i386/Zope-core-2.1.7-6cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/4.2/i386/Zope-pcgi-2.1.7-6cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/4.2/i386/Zope-services-2.1.7-6cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/4.2/i386/Zope-zpublisher-2.1.7-6cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/4.2/i386/Zope-ztemplates-2.1.7-6cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/Zope-2.1.7-6cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/5.0/i386/Zope-2.1.7-6cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/5.0/i386/Zope-components-2.1.7-6cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/5.0/i386/Zope-core-2.1.7-6cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/5.0/i386/Zope-pcgi-2.1.7-6cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/5.0/i386/Zope-services-2.1.7-6cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/5.0/i386/Zope-zpublisher-2.1.7-6cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/5.0/i386/Zope-ztemplates-2.1.7-6cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/Zope-2.1.7-6cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/5.1/i386/Zope-2.1.7-6cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/5.1/i386/Zope-components-2.1.7-6cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/5.1/i386/Zope-core-2.1.7-6cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/5.1/i386/Zope-pcgi-2.1.7-6cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/5.1/i386/Zope-services-2.1.7-6cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/5.1/i386/Zope-zpublisher-2.1.7-6cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/5.1/i386/Zope-ztemplates-2.1.7-6cl.i386.rpm

    For FreeBSD:

        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/www/zope-2.2.0.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/www/zope-2.2.0.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/www/zope-2.2.0.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/www/zope-2.2.0.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/www/zope-2.2.0.tgz

    For Linux-Mandrake:

        Linux-Mandrake 7.1: 7.1/RPMS/Zope-2.1.6-3mdk.i586.rpm
                            7.1/RPMS/Zope-components-2.1.6-3mdk.i586.rpm
                            7.1/RPMS/Zope-core-2.1.6-3mdk.i586.rpm
                            7.1/RPMS/Zope-pcgi-2.1.6-3mdk.i586.rpm
                            7.1/RPMS/Zope-services-2.1.6-3mdk.i586.rpm
                            7.1/RPMS/Zope-zpublisher-2.1.6-3mdk.i586.rpm
                            7.1/RPMS/Zope-zserver-2.1.6-3mdk.i586.rpm
                            7.1/RPMS/Zope-ztemplates-2.1.6-3mdk.i586.rpm
                            7.1/SRPMS/Zope-2.1.6-3mdk.src.rpm

    Debian 2.1 (slink)  did not include  zope, and is  not vulnerable.
    Debian 2.2 (potato)  does include zope  and is vulnerable  to this
    issue. A  fixed package  for Debian  2.2 (potato)  is available in
    zope 2.1.6-5.2.