COMMAND

    zope

SYSTEMS AFFECTED

    zope

PROBLEM

    Security Advisory was released  which indicated Erik Enge  found a
    problem in  the way  Zope calculates  roles.   In some  situations
    Zope checked the  wrong folder hierarchy  which could cause  it to
    grant local  roles when  it should  not.   In other  words:  users
    with privileges  in one  folder could  gain privileges  in another
    folder.

    Another security alert was released revealing a potential  problem
    found by Peter Kelly.  This problem involved incorrect  protection
    of data updating  for Image and  File objects: any  user with DTML
    editing  privileges  could  update  the  File or Image object data
    directly.

    Aleksander Salwa has brought a security issue to that affects  all
    Zope  versions  up  to  and  including  Zope  2.2.4.     The issue
    involves  security  registration  of  "legacy"  names  for certain
    object  constructors  such  as  the  constructors  for DTML Method
    objects.  Security was not being applied correctly for the  legacy
    names, making it possible  to call those constructors  without the
    permissions  that  should  have  been  required.  This issue could
    allow anonymous users  with enough internal  knowledge of Zope  to
    instantiate  new  DTML  Method  instances  through  the Web.  Only
    Zope-2.2.0 and up are affected.

SOLUTION

    For Debian:

        http://security.debian.org/dists/stable/updates/main/source/zope_2.1.6-5.4.diff.gz
        http://security.debian.org/dists/stable/updates/main/source/zope_2.1.6-5.4.dsc
        http://security.debian.org/dists/stable/updates/main/source/zope_2.1.6.orig.tar.gz
        http://security.debian.org/dists/stable/updates/main/binary-alpha/zope_2.1.6-5.4_alpha.deb
        http://security.debian.org/dists/stable/updates/main/binary-arm/zope_2.1.6-5.4_arm.deb
        http://security.debian.org/dists/stable/updates/main/binary-i386/zope_2.1.6-5.4_i386.deb
        http://security.debian.org/dists/stable/updates/main/binary-m68k/zope_2.1.6-5.4_m68k.deb
        http://security.debian.org/dists/stable/updates/main/binary-powerpc/zope_2.1.6-5.4_powerpc.deb
        http://security.debian.org/dists/stable/updates/main/binary-sparc/zope_2.1.6-5.4_sparc.deb

    For RedHat:

        ftp://updates.redhat.com/powertools/6.2/alpha/Zope-2.2.4-3.alpha.rpm
        ftp://updates.redhat.com/powertools/6.2/alpha/Zope-components-2.2.4-3.alpha.rpm
        ftp://updates.redhat.com/powertools/6.2/alpha/Zope-core-2.2.4-3.alpha.rpm
        ftp://updates.redhat.com/powertools/6.2/alpha/Zope-pcgi-2.2.4-3.alpha.rpm
        ftp://updates.redhat.com/powertools/6.2/alpha/Zope-services-2.2.4-3.alpha.rpm
        ftp://updates.redhat.com/powertools/6.2/alpha/Zope-zpublisher-2.2.4-3.alpha.rpm
        ftp://updates.redhat.com/powertools/6.2/alpha/Zope-zserver-2.2.4-3.alpha.rpm
        ftp://updates.redhat.com/powertools/6.2/alpha/Zope-ztemplates-2.2.4-3.alpha.rpm
        ftp://updates.redhat.com/powertools/6.2/sparc/Zope-2.2.4-3.sparc.rpm
        ftp://updates.redhat.com/powertools/6.2/sparc/Zope-components-2.2.4-3.sparc.rpm
        ftp://updates.redhat.com/powertools/6.2/sparc/Zope-core-2.2.4-3.sparc.rpm
        ftp://updates.redhat.com/powertools/6.2/sparc/Zope-pcgi-2.2.4-3.sparc.rpm
        ftp://updates.redhat.com/powertools/6.2/sparc/Zope-services-2.2.4-3.sparc.rpm
        ftp://updates.redhat.com/powertools/6.2/sparc/Zope-zpublisher-2.2.4-3.sparc.rpm
        ftp://updates.redhat.com/powertools/6.2/sparc/Zope-zserver-2.2.4-3.sparc.rpm
        ftp://updates.redhat.com/powertools/6.2/sparc/Zope-ztemplates-2.2.4-3.sparc.rpm
        ftp://updates.redhat.com/powertools/6.2/i386/Zope-2.2.4-3.i386.rpm
        ftp://updates.redhat.com/powertools/6.2/i386/Zope-components-2.2.4-3.i386.rpm
        ftp://updates.redhat.com/powertools/6.2/i386/Zope-core-2.2.4-3.i386.rpm
        ftp://updates.redhat.com/powertools/6.2/i386/Zope-pcgi-2.2.4-3.i386.rpm
        ftp://updates.redhat.com/powertools/6.2/i386/Zope-services-2.2.4-3.i386.rpm
        ftp://updates.redhat.com/powertools/6.2/i386/Zope-zpublisher-2.2.4-3.i386.rpm
        ftp://updates.redhat.com/powertools/6.2/i386/Zope-zserver-2.2.4-3.i386.rpm
        ftp://updates.redhat.com/powertools/6.2/i386/Zope-ztemplates-2.2.4-3.i386.rpm
        ftp://updates.redhat.com/powertools/6.2/SRPMS/Zope-2.2.4-3.src.rpm
        ftp://updates.redhat.com/powertools/7.0/alpha/Zope-2.2.4-4.alpha.rpm
        ftp://updates.redhat.com/powertools/7.0/alpha/Zope-components-2.2.4-4.alpha.rpm
        ftp://updates.redhat.com/powertools/7.0/alpha/Zope-core-2.2.4-4.alpha.rpm
        ftp://updates.redhat.com/powertools/7.0/alpha/Zope-pcgi-2.2.4-4.alpha.rpm
        ftp://updates.redhat.com/powertools/7.0/alpha/Zope-services-2.2.4-4.alpha.rpm
        ftp://updates.redhat.com/powertools/7.0/alpha/Zope-zpublisher-2.2.4-4.alpha.rpm
        ftp://updates.redhat.com/powertools/7.0/alpha/Zope-zserver-2.2.4-4.alpha.rpm
        ftp://updates.redhat.com/powertools/7.0/alpha/Zope-ztemplates-2.2.4-4.alpha.rpm
        ftp://updates.redhat.com/powertools/7.0/i386/Zope-2.2.4-4.i386.rpm
        ftp://updates.redhat.com/powertools/7.0/i386/Zope-components-2.2.4-4.i386.rpm
        ftp://updates.redhat.com/powertools/7.0/i386/Zope-core-2.2.4-4.i386.rpm
        ftp://updates.redhat.com/powertools/7.0/i386/Zope-pcgi-2.2.4-4.i386.rpm
        ftp://updates.redhat.com/powertools/7.0/i386/Zope-services-2.2.4-4.i386.rpm
        ftp://updates.redhat.com/powertools/7.0/i386/Zope-zpublisher-2.2.4-4.i386.rpm
        ftp://updates.redhat.com/powertools/7.0/i386/Zope-zserver-2.2.4-4.i386.rpm
        ftp://updates.redhat.com/powertools/7.0/i386/Zope-ztemplates-2.2.4-4.i386.rpm
        ftp://updates.redhat.com/powertools/7.0/SRPMS/Zope-2.2.4-4.src.rpm
        ftp://updates.redhat.com/powertools/6.2/SRPMS/Zope-Hotfix-DTML-2000_12_18-1.src.rpm
        ftp://updates.redhat.com/powertools/6.2/noarch/Zope-Hotfix-DTML-2000_12_18-1.noarch.rpm
        ftp://updates.redhat.com/powertools/7.0/SRPMS/Zope-Hotfix-DTML-2000_12_18-1.src.rpm
        ftp://updates.redhat.com/powertools/7.0/noarch/Zope-Hotfix-DTML-2000_12_18-1.noarch.rpm

    For Linux-Mandrake:

        Linux-Mandrake 7.1: 7.1/RPMS/Zope-2.2.4-1.2mdk.i586.rpm
                            7.1/RPMS/Zope-components-2.2.4-1.2mdk.i586.rpm
                            7.1/RPMS/Zope-core-2.2.4-1.2mdk.i586.rpm
                            7.1/RPMS/Zope-pcgi-2.2.4-1.2mdk.i586.rpm
                            7.1/RPMS/Zope-services-2.2.4-1.2mdk.i586.rpm
                            7.1/RPMS/Zope-zpublisher-2.2.4-1.2mdk.i586.rpm
                            7.1/RPMS/Zope-zserver-2.2.4-1.2mdk.i586.rpm
                            7.1/RPMS/Zope-ztemplates-2.2.4-1.2mdk.i586.rpm
                            7.1/SRPMS/Zope-2.2.4-1.2mdk.src.rpm
        Linux-Mandrake 7.2: 7.2/RPMS/Zope-2.2.4-1.2mdk.i586.rpm
                            7.2/RPMS/Zope-components-2.2.4-1.2mdk.i586.rpm
                            7.2/RPMS/Zope-core-2.2.4-1.2mdk.i586.rpm
                            7.2/RPMS/Zope-pcgi-2.2.4-1.2mdk.i586.rpm
                            7.2/RPMS/Zope-services-2.2.4-1.2mdk.i586.rpm
                            7.2/RPMS/Zope-zpublisher-2.2.4-1.2mdk.i586.rpm
                            7.2/RPMS/Zope-zserver-2.2.4-1.2mdk.i586.rpm
                            7.2/RPMS/Zope-ztemplates-2.2.4-1.2mdk.i586.rpm
                            7.2/SRPMS/Zope-2.2.4-1.2mdk.src.rpm

    For FreeBSD:

        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/www/zope-2.2.4.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/www/zope-2.2.4.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/www/zope-2.2.4.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/www/zope-2.2.4.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/www/zope-2.2.4.tgz

    The hotfix for this issue is available on the zope.org web site:

        http://www.zope.org/Products/Zope/Hotfix_2000-12-08/Hotfix_2000-12-08.tgz