Python 2.3.3 doesn't need to import the types module here anymore

xmlrpclib in Python 2.3+ includes support for nil values and basic auth, so
Zope no longer needs to provide its own version.

  - Don't use bare 'eval' to check filtered set membershp (merge from
    2.6 / 2.7 audit).

  - ZConfig changes for ZSP.

  - Merge a number of entangled issues from 2.6 / 2.7 audit:

    Iteration over sequences could in some cases fail to check access
    to an object obtained from the sequence. Subsequent checks (such
    as for attributes access) of such an object would still be
    performed, but it should not have been possible to obtain the
    object in the first place.

    List and dictionary instance methods such as the get method of
    dictionary objects were not security aware and could return an
    object without checking access to that object. Subsequent checks
    (such as for attributes access) of such an object would still be
    performed, but it should not have been possible to obtain the
    object in the first place.

    Use of "import as" in Python scripts could potentially rebind
    names in ways that could be used to avoid appropriate security
    checks.

    A number of newer built-ins were either unavailable in untrusted
    code or did not perform adequate security checking.

    Unpacking via function calls, variable assignment, exception
    variables and other contexts did not perform adequate security
    checks, potentially allowing access to objects that should have
    been protected.

    Class security was not properly intialized for PythonScripts,
    potentially allowing access to variables that should be protected.
    It turned out that most of the security assertions were in fact
    activated as a side effect of other code, but this fix is still
    appropriate to ensure that all security declarations are properly
    applied.

    DTMLMethods with proxy rights could incorrectly transfer those
    rights via acquisition when traversing to a parent object.

  - Wire up security policy selection machinery to ZConfig (note that the
    'C' policy is currently borked, but should be fixed very soon).

  - Don't allow Unicode strings to be passed to response.write() (merged
    from 2.6 / 2.7 audit).