The issue involves the security of the indexes of ZCatalog objects. A flaw
in the security settings of ZCatalog allows anonymous users to call arbitrary
methods of catalog indexes. The vulnerability also allows untrusted code to
do the same.
--
From: MAINTAINER
The issue involves a vulnerability involving "through the web code"
inadvertently allowing an untrusted user to remotely shut down a
Zope server by allowing the user to inject special headers into the
response. If you allow untrusted users to write "through the web"
code like Python Scripts, DTML Methods, or Page Templates, your
Zope server is vulnerable.
knows if 2.5.1 is going to come out in time for the release.
Also add my patch to fix setuid support (not used by default) and
set our own version string to distinguish this from an "official"
Zope release.
- regress
- add zope-instance relative path support
- do optimizing compile on python files too, like lang/python, and use optimized in default zope-instance start script
