File contents
Hotfix_2002-03-01
This is a "hotfix" product. Hotfix products can be installed to
incorporate modifications to Zope at runtime without requiring
an immediate installation upgrade. Hotfix products are installed
just as you would install any other Zope product.
This hotfix addresses an important security issue that may affect
some users of Zope versions 2.2.0 through 2.5.x
The issue involves the checking of security for objects with proxy
roles. The context of the owner user that created the object with
proxy roles was not being taken into account when determining access
to the object with proxy roles. This flaw could allow users defined
in subfolders of a site with sufficient privileges to access objects
at higher levels in the site that they would not normally be able to
access.
We highly recommend that any Zope site running Zope 2.2.0 through Zope
2.5.x have this hotfix product installed to mitigate the issue. Zope
2.5.1 and 2.4.4 will contain a fix for the issue, at which time the
hotfix can be removed.