Debian: DSA-043-2 Critical: Zope Remote Authentication Issue

This is an addition to DSA 043-1 which fixes several vulnerabilities
in Zope. Something went wrong so it has to be corrected. The
previous security release 2.1.6-7 has two severe problems:

1. zope 2.1.6-7 erronously included Hotfix 2000-10-02 (a fix for a
vulnerability, which does only affect Zope 2.2.0 and later). The
inclusion of this Hotfix completely broke the authentification,
which rendered zope 2.1.6-7 practically unusable.

The Hotfix 2000-10-02 is removed in 2.1.6-9.

2. The Hotfix 2000-10-11 in zope 2.1.6-7 was non-functional, leaving
the package vulnerable to the possible exploit fixed by this
Hotfix:

Hotfix 2000-10-11 "ObjectManager subscripting"

The issue involves the fact that the 'subscript notation' that can
be used to access items of ObjectManagers (Folders) did not
correctly restrict return values to only actual sub items. This
made it possible to access names that should be private from DTML
(objects with names beginning with th...