Explore top 10 tips to secure your open-source projects now. Read More
×This advisory covers several vulnerabilities in Zope that have been
addressed.
1. Hotfix 08_09_2000 "Zope security alert and hotfix product"
The issue involves the fact that the getRoles method of user objects
contained in the default UserFolder implementation returns a mutable
Python type. Because the mutable object is still associated with
the persistent User object, users with the ability to edit DTML
could arrange to give themselves extra roles for the duration of a
single request by mutating the roles list as a part of the request
processing.
2. Hotfix 2000-10-02 "ZPublisher security update"
It is sometimes possible to access, through an URL only, objects
protected by a role which the user has in some context, but not in
the context of the accessed object.
3. Hotfix 2000-10-11 "ObjectManager subscripting"
The issue involves the fact that the 'subscript notation' that can
be used to access items of ObjectManagers (Folders) did not
correctly...
Get the latest Linux and open source security news straight to your inbox.