ANNOUNCE: Security update for Tcl Windows API (TWAPI)

[APN]

TWAPI 2.2.5 is a security update and contains no new features
over previously released version 2.2.3. The update is available
from the usual TWAPI download area on sourceforge
(http://sourceforge.net/projects/twapi/files/)

V2.2.5 fixes a security-related bug present in earlier versions of
TWAPI on all Windows platforms. This bug is not present in any 3.x
(development) releases of TWAPI.

This bug manifests itself under the following conditions:
- the code creates a new file, console, windows station, desktop
or token using a TWAPI script level call or the raw API, and
- the resource creation call specifies a non-default security
descriptor, and
- the security descriptor specifies a non-default group

Under these circumstances, depending on the resource type and
whether the specified group is a Windows built-in group or not,
the resource creation call may fail with an error or
erroneously create the resource with the group as owner.

Note that changing the security descriptor of an existing
resource is not affected by this bug.