Mailing List Archive

Zope 4.6.3 and 5.3 released with a security fix
On behalf of Zope developer community I am pleased to announce the releases of Zope 4.6.3 and 5.3.

This bugfix release solves a few minor issues and contains a security fix. For the full list of changes see the change logs at https://zope.readthedocs.io/en/4.x/changes.html#id1 and https://zope.readthedocs.io/en/latest/changes.html#id1

Installation instructions can be found at https://zope.readthedocs.io/en/4.x/INSTALL.html and https://zope.readthedocs.io/en/latest/INSTALL.html.

These releases contain a security fix that prevents remote code execution through Script (Python) objects. You are only at risk if all of the following are true:

- You use Python 3 for your Zope deployment (Zope 4 on Python 2 is not affected)
- You run Zope 4 below version 4.6.3 or Zope 5 below version 5.3
- You have installed the optional Products.PythonScripts add-on package
- You allow untrusted non-admin users to add or edit Script (Python) objects

By default, untrusted non-admin users cannot add or edit Script (Python) objects, only “Manager” users can. Enabling this level of access for untrusted users would be a very unusual configuration and it is highly unlikely any site administrator would do so to begin with.

The related security advisories with full details are published here:

- https://github.com/zopefoundation/Zope/security/advisories/GHSA-g4gq-j4p2-j8fr
- https://github.com/zopefoundation/AccessControl/security/advisories/GHSA-qcx9-j53g-ccgf

NOTE FOR PLONE USERS: Make sure to install the latest version of PloneHotfix20210518 first, which should appear shortly after this Zope release. See https://plone.org/security/hotfix/20210518. Don't install Zope 4.6.3 or 5.3 into an existing Plone setup without testing. The PloneHotfix packages ensures that the Zope changes don’t interfere with Plone add-ons.

Jens Vagelpohl