Zope security alert and hotfix product
We have recently become aware of an important security issue that affects all released Zope versions prior to 2.2.1 beta 1.
The issue involves the fact that the getRoles method of user objects contained in the default UserFolder implementation returns a mutable Python type. Because the mutable object is still associated with the persistent User object, users with the ability to edit DTML could arrange to give themselves extra roles for the duration of a single request by mutating the roles list as a part of the request processing.
While we know of no instances of this issue being used to exploit a site, we highly recommend that any Zope site running versions of Zope prior to 2.2.1 have this hotfix product installed to mitigate the issue if the site is accessible by untrusted users who have DTML editing privileges.
A hotfix for this issue in the form of an add-on Zope product has been made available on zope.org. To install the hotfix, simply download and install the package as you would any other Zope add-on product (extract it in the root of your Zope installation). Remember to restart your Zope installation for the hotfix to take effect.
The hotfix will work for all versions of Zope 2.0 and higher. The forthcoming Zope 2.2.1 beta 1 release will contain the fix for this issue, and you be able to uninstall the hot fix after upgrading to 2.2.1 beta 1 or higher (though nothing bad will happen if you don't uninstall it).