[Zope-Annce] Zope 4.6.3 and 5.3 released with a security fix

Jens Vagelpohl jens at plyp.com
Sat Jul 31 09:55:20 GMT 2021 

On behalf of Zope developer community I am pleased to announce the releases of Zope 4.6.3 and 5.3.

This bugfix release solves a few minor issues and contains a security fix. For the full list of changes see the change logs at https://zope.readthedocs.io/en/4.x/changes.html#id1 and https://zope.readthedocs.io/en/latest/changes.html#id1

Installation instructions can be found at https://zope.readthedocs.io/en/4.x/INSTALL.html and https://zope.readthedocs.io/en/latest/INSTALL.html.

These releases contain a security fix that prevents remote code execution through Script (Python) objects. You are only at risk if all of the following are true:

- You use Python 3 for your Zope deployment (Zope 4 on Python 2 is not affected)
- You run Zope 4 below version 4.6.3 or Zope 5 below version 5.3
- You have installed the optional Products.PythonScripts add-on package
- You allow untrusted non-admin users to add or edit Script (Python) objects

By default, untrusted non-admin users cannot add or edit Script (Python) objects, only “Manager” users can. Enabling this level of access for untrusted users would be a very unusual configuration and it is highly unlikely any site administrator would do so to begin with.

The related security advisories with full details are published here:

- https://github.com/zopefoundation/Zope/security/advisories/GHSA-g4gq-j4p2-j8fr
- https://github.com/zopefoundation/AccessControl/security/advisories/GHSA-qcx9-j53g-ccgf

NOTE FOR PLONE USERS: Make sure to install the latest version of PloneHotfix20210518 first, which should appear shortly after this Zope release. See https://plone.org/security/hotfix/20210518. Don't install Zope 4.6.3 or 5.3 into an existing Plone setup without testing. The PloneHotfix packages ensures that the Zope changes don’t interfere with Plone add-ons.

Jens Vagelpohl

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <https://mail.zope.org/pipermail/zope-announce/attachments/20210731/00309490/attachment.sig>

More information about the Zope-Announce mailing list