Hotfix_2000-10-11 This is a "hotfix" product. Hotfix products can be installed to incorporate modifications to Zope at runtime without requiring an immediate installation upgrade. Hotfix products are installed just as you would install any other Zope product. This hotfix addresses an important security issue that affects all released Zope versions up to and including Zope 2.2 final. The issue involves the fact that the 'subscript notation' that can be used to access items of ObjectManagers (Folders) did not correctly restrict return values to only actual sub items. This made it possible to access names that should be private from DTML (objects with names beginning with the underscore '_' character). This could allow DTML authors to see private implementation data structures and in certain cases possibly call methods that they shouldn't have access to from DTML. While we know of no instances of this issue being used to exploit a site, we *highly* recommend that any Zope site running versions of Zope up to and including 2.2.2 have this hotfix product installed to mitigate the issue if the site is accessible by untrusted users who have DTML editing privileges.