Mailing List Archive

Zope 4.6 and 5.2 released with an important security fix
On behalf of Zope developer community I am pleased to announce the releases of Zope 4.6 and 5.2.

This bugfix release solves a few minor issues and also contains an important security fix, see below. For the full list of changes see the change logs at https://zope.readthedocs.io/en/4.x/changes.html#id1 and https://zope.readthedocs.io/en/latest/changes.html#id1

Installation instructions can be found at https://zope.readthedocs.io/en/4.x/INSTALL.html and https://zope.readthedocs.io/en/latest/INSTALL.html.

NOTE: These releases contain a security fix that prevents remote code execution through TAL expressions. You will only be at risk if you allow untrusted people to add or edit Zope Page Template objects. For more details, see the security advisory at https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36. A CVE has been requested through GitHub.

NOTE FOR PLONE USERS: Before installing Zope 4.6 or 5.2 make sure to install PloneHotfix20210518 first, see https://plone.org/security/hotfix/20210518. The security changes in Zope break some Plone add-ons that relied on the old insecure traversal behavior. PloneHotfix20210518 ensures support for those Plone add-ons.

Jens Vagelpohl
Re: Zope 4.6 and 5.2 released with an important security fix [ In reply to ]
Thank you very much for the fix and the new release.

As a user of plain Zope, and having already applied PloneHotfix20210518, I wonder whether I need or should deinstall the hotfix now.

e.g. the hotfix also touched xmlrpc, which this new release does not.

Or let me rephrase my question.

What is the current recommended way to mitigate the announced vulnerabilities for a plain Zope setup?

Install the just released Zope version and the hotfix? Or just the latest Zope version?

Thank you!
________________________________
Von: Zope <zope-bounces@zope.org> im Auftrag von Jens Vagelpohl <jens@netz.ooo>
Gesendet: Freitag, 21. Mai 2021 11:12
An: zope-announce@zope.org <zope-announce@zope.org>; zope@zope.org Users <zope@zope.org>
Betreff: [Zope] Zope 4.6 and 5.2 released with an important security fix

On behalf of Zope developer community I am pleased to announce the releases of Zope 4.6 and 5.2.

This bugfix release solves a few minor issues and also contains an important security fix, see below. For the full list of changes see the change logs at https://zope.readthedocs.io/en/4.x/changes.html#id1 and https://zope.readthedocs.io/en/latest/changes.html#id1

Installation instructions can be found at https://zope.readthedocs.io/en/4.x/INSTALL.html and https://zope.readthedocs.io/en/latest/INSTALL.html.

NOTE: These releases contain a security fix that prevents remote code execution through TAL expressions. You will only be at risk if you allow untrusted people to add or edit Zope Page Template objects. For more details, see the security advisory at https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36. A CVE has been requested through GitHub.

NOTE FOR PLONE USERS: Before installing Zope 4.6 or 5.2 make sure to install PloneHotfix20210518 first, see https://plone.org/security/hotfix/20210518. The security changes in Zope break some Plone add-ons that relied on the old insecure traversal behavior. PloneHotfix20210518 ensures support for those Plone add-ons.

Jens Vagelpohl
Re: Zope 4.6 and 5.2 released with an important security fix [ In reply to ]
Hi Jürgen,

Zope and Plone are still two different projects. The Plone developers published a hotfix product that fixes everything they believe needed to be fixed. I looked at items that apply to plain Zope and made the required changes in Zope.

So anyone using plain Zope can install the latest update and they are safe. As a plain Zope developer I cannot comment on or make recommendations regarding a Plone hotfix, and Zope itself will never require a Plone add-on or hotfix. I don’t have any control over how the Plone release managers communicate these fixes, either. People who do not use Plone are advised to stick to published Zope updates.

jens



> On 21. May 2021, at 12:25 , Jürgen Gmach <juergen.gmach@apis.de> wrote:
>
> Thank you very much for the fix and the new release.
>
> As a user of plain Zope, and having already applied PloneHotfix20210518, I wonder whether I need or should deinstall the hotfix now.
>
> e.g. the hotfix also touched xmlrpc, which this new release does not.
>
> Or let me rephrase my question.
>
> What is the current recommended way to mitigate the announced vulnerabilities for a plain Zope setup?
>
> Install the just released Zope version and the hotfix? Or just the latest Zope version?
>
> Thank you!
> Von: Zope <zope-bounces@zope.org> im Auftrag von Jens Vagelpohl <jens@netz.ooo>
> Gesendet: Freitag, 21. Mai 2021 11:12
> An: zope-announce@zope.org <zope-announce@zope.org>; zope@zope.org Users <zope@zope.org>
> Betreff: [Zope] Zope 4.6 and 5.2 released with an important security fix
>
> On behalf of Zope developer community I am pleased to announce the releases of Zope 4.6 and 5.2.
>
> This bugfix release solves a few minor issues and also contains an important security fix, see below. For the full list of changes see the change logs athttps://zope.readthedocs.io/en/4.x/changes.html#id1 andhttps://zope.readthedocs.io/en/latest/changes.html#id1
>
> Installation instructions can be found at https://zope.readthedocs.io/en/4.x/INSTALL.html and https://zope.readthedocs.io/en/latest/INSTALL.html.
>
> NOTE: These releases contain a security fix that prevents remote code execution through TAL expressions. You will only be at risk if you allow untrusted people to add or edit Zope Page Template objects. For more details, see the security advisory athttps://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36. A CVE has been requested through GitHub.
>
> NOTE FOR PLONE USERS: Before installing Zope 4.6 or 5.2 make sure to install PloneHotfix20210518 first, see https://plone.org/security/hotfix/20210518. The security changes in Zope break some Plone add-ons that relied on the old insecure traversal behavior. PloneHotfix20210518 ensures support for those Plone add-ons.
>
> Jens Vagelpohl
>
> _______________________________________________
> Zope maillist - Zope@zope.org
> https://mail.zope.org/mailman/listinfo/zope
> ** No cross posts or HTML encoding! **
> (Related lists -
> https://mail.zope.org/mailman/listinfo/zope-announce
> https://mail.zope.org/mailman/listinfo/zope-dev )
Re: Zope 4.6 and 5.2 released with an important security fix [ In reply to ]
Hi Jens,

thank you for the quick response, the clarifcation and your continued committment for the Zope eco-system.

J?rgen

________________________________
Von: Zope <zope-bounces@zope.org> im Auftrag von Jens Vagelpohl <jens@netz.ooo>
Gesendet: Freitag, 21. Mai 2021 12:47
An: zope-announce@zope.org <zope-announce@zope.org>; zope@zope.org Users <zope@zope.org>
Betreff: Re: [Zope] Zope 4.6 and 5.2 released with an important security fix

Hi J?rgen,

Zope and Plone are still two different projects. The Plone developers published a hotfix product that fixes everything they believe needed to be fixed. I looked at items that apply to plain Zope and made the required changes in Zope.

So anyone using plain Zope can install the latest update and they are safe. As a plain Zope developer I cannot comment on or make recommendations regarding a Plone hotfix, and Zope itself will never require a Plone add-on or hotfix. I don?t have any control over how the Plone release managers communicate these fixes, either. People who do not use Plone are advised to stick to published Zope updates.

jens



> On 21. May 2021, at 12:25 , J?rgen Gmach <juergen.gmach@apis.de> wrote:
>
> Thank you very much for the fix and the new release.
>
> As a user of plain Zope, and having already applied PloneHotfix20210518, I wonder whether I need or should deinstall the hotfix now.
>
> e.g. the hotfix also touched xmlrpc, which this new release does not.
>
> Or let me rephrase my question.
>
> What is the current recommended way to mitigate the announced vulnerabilities for a plain Zope setup?
>
> Install the just released Zope version and the hotfix? Or just the latest Zope version?
>
> Thank you!
> Von: Zope <zope-bounces@zope.org> im Auftrag von Jens Vagelpohl <jens@netz.ooo>
> Gesendet: Freitag, 21. Mai 2021 11:12
> An: zope-announce@zope.org <zope-announce@zope.org>; zope@zope.org Users <zope@zope.org>
> Betreff: [Zope] Zope 4.6 and 5.2 released with an important security fix
>
> On behalf of Zope developer community I am pleased to announce the releases of Zope 4.6 and 5.2.
>
> This bugfix release solves a few minor issues and also contains an important security fix, see below. For the full list of changes see the change logs athttps://zope.readthedocs.io/en/4.x/changes.html#id1 andhttps://zope.readthedocs.io/en/latest/changes.html#id1
>
> Installation instructions can be found at https://zope.readthedocs.io/en/4.x/INSTALL.html and https://zope.readthedocs.io/en/latest/INSTALL.html.
>
> NOTE: These releases contain a security fix that prevents remote code execution through TAL expressions. You will only be at risk if you allow untrusted people to add or edit Zope Page Template objects. For more details, see the security advisory athttps://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36. A CVE has been requested through GitHub.
>
> NOTE FOR PLONE USERS: Before installing Zope 4.6 or 5.2 make sure to install PloneHotfix20210518 first, see https://plone.org/security/hotfix/20210518. The security changes in Zope break some Plone add-ons that relied on the old insecure traversal behavior. PloneHotfix20210518 ensures support for those Plone add-ons.
>
> Jens Vagelpohl
>
> _______________________________________________
> Zope maillist - Zope@zope.org
> https://mail.zope.org/mailman/listinfo/zope
> ** No cross posts or HTML encoding! **
> (Related lists -
> https://mail.zope.org/mailman/listinfo/zope-announce
> https://mail.zope.org/mailman/listinfo/zope-dev )