From jens at plyp.com Tue Jun 8 08:46:35 2021 From: jens at plyp.com (Jens Vagelpohl) Date: Tue, 8 Jun 2021 10:46:35 +0200 Subject: [Zope] Zope 4.6.1 and 5.2.1 released with an important security fix Message-ID: On behalf of Zope developer community I am pleased to announce the releases of Zope 4.6.1 and 5.2.1. This bugfix release solves a few minor issues and also contains an important security fix, see below. For the full list of changes see the change logs at https://zope.readthedocs.io/en/4.x/changes.html#id1 and https://zope.readthedocs.io/en/latest/changes.html#id1 Installation instructions can be found at https://zope.readthedocs.io/en/4.x/INSTALL.html and https://zope.readthedocs.io/en/latest/INSTALL.html. NOTE: These releases contain an expanded security fix that prevents remote code execution through TAL expressions. The first iteration of the security fix in Zope 4.6 and 5.2 did not catch all cases of unauthorized TAL path expression traversal. Just like the first fix, you will only ever be at risk if you allow untrusted users to add or edit Zope Page Template objects, which is a very unusual non-standard site configuration. For more details, see the security advisory at https://github.com/zopefoundation/Zope/security/advisories/GHSA-rpcg-f9q6-2mq6. A CVE has been requested through GitHub. NOTE FOR PLONE USERS: Make sure to install the latest version of PloneHotfix20210518 first, which should appear shortly after this Zope release. See https://plone.org/security/hotfix/20210518. Don't install Zope 4.6.1 or 5.2.1 into an existing Plone setup without testing. The security changes in Zope break some Plone add-ons that relied on the old insecure traversal behavior. PloneHotfix20210518 ensures support for those Plone add-ons. Jens Vagelpohl -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: Message signed with OpenPGP URL: From jens at plyp.com Sun Jun 27 09:37:13 2021 From: jens at plyp.com (Jens Vagelpohl) Date: Sun, 27 Jun 2021 11:37:13 +0200 Subject: [Zope] Zope 4.6.2 released Message-ID: <3E96E7A3-AC0A-4291-A375-ABFBD213427E@plyp.com> On behalf of Zope developer community I am pleased to announce the release of Zope 4.6.2. This bugfix release backports the stricter path expression traversal code from Zope 5. For the full list of changes see the change log at https://zope.readthedocs.io/en/4.x/changes.html#id1 Installation instructions can be found at https://zope.readthedocs.io/en/4.x/INSTALL.html NOTE FOR PLONE USERS: Make sure to install the latest version of PloneHotfix20210518 first, which should appear shortly after this Zope release. See https://plone.org/security/hotfix/20210518. Don't install Zope 4.6.2 into an existing Plone setup without testing. The traversal changes in Zope break some Plone add-ons that relied on the old traversal behavior. PloneHotfix20210518 ensures support for those Plone add-ons. Jens Vagelpohl -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: Message signed with OpenPGP URL: