Bug#415564: [mj@zopatista.com: [Zope-Annce] Hotfix for cross-site scripting vulnerability]

[Bastian Blank]

Package: zope2.9
Version: 2.9.6-4
Severity: important
Tags: security

----- Forwarded message from Martijn Pieters <mj at zopatista.com> -----

To: Zope Announce <zope-announce at zope.org>
From: Martijn Pieters <mj at zopatista.com>
Date: Tue, 20 Mar 2007 09:40:30 +0100
Subject: [Zope-Annce] Hotfix for cross-site scripting vulnerability

A vulnerability has been discovered in Zope, where by certain types of
misuse of HTTP GET, an attacker could gain elevated privileges. All
Zope versions up to and including 2.10.2 are affected.

Overview

   This hotfix removes the exploit by mandating that security setting
   alterations can only be made through POST requests. This  
vulnerability
   has been fixed in the Zope 2.8, 2.9 and 2.10 branches and all future
   releases of Zope will include this fix.

   Do note that this patch only affects direct requests to the security
   methods; any 3rd-party code that calls these methods indirectly may
   still be affected.

Hotfix

   We have prepared a hot fix for this problem
   at:

   "http://www.zope.org/Products/Zope/Hotfix-2007-03-20/ 
Hotfix-20070320/",
    http://www.zope.org/Products/Zope/Hotfix-2007-03-20/ 
Hotfix-20070320/.

   This hotfix should be installed as soon as possible.

   To install, simply extract the archive into your Products
   directory in your Zope installation.

   See: "http://www.zope.org/Products/Zope/Hotfix-2007-03-20/ 
Hotfix-20070320/README.txt",
         http://www.zope.org/Products/Zope/Hotfix-2007-03-20/ 
Hotfix-20070320/README.txt,

   for installation instructions.

----- End forwarded message -----

-- 
But Captain -- the engines can't take this much longer!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-zope-developers/attachments/20070320/37c6d292/attachment.pgp