On behalf of Zope developer community I am pleased to announce the releases of Zope 4.6.3 and 5.3.
This bugfix release solves a few minor issues and contains a security fix. For the full list of changes see the change logs at https://zope.readthedocs.io/en/4.x/changes.html#id1 and https://zope.readthedocs.io/en/latest/changes.html#id1 Installation instructions can be found at https://zope.readthedocs.io/en/4.x/INSTALL.html and https://zope.readthedocs.io/en/latest/INSTALL.html. These releases contain a security fix that prevents remote code execution through Script (Python) objects. You are only at risk if all of the following are true: - You use Python 3 for your Zope deployment (Zope 4 on Python 2 is not affected) - You run Zope 4 below version 4.6.3 or Zope 5 below version 5.3 - You have installed the optional Products.PythonScripts add-on package - You allow untrusted non-admin users to add or edit Script (Python) objects By default, untrusted non-admin users cannot add or edit Script (Python) objects, only “Manager” users can. Enabling this level of access for untrusted users would be a very unusual configuration and it is highly unlikely any site administrator would do so to begin with. The related security advisories with full details are published here: - https://github.com/zopefoundation/Zope/security/advisories/GHSA-g4gq-j4p2-j8fr - https://github.com/zopefoundation/AccessControl/security/advisories/GHSA-qcx9-j53g-ccgf NOTE FOR PLONE USERS: Make sure to install the latest version of PloneHotfix20210518 first, which should appear shortly after this Zope release. See https://plone.org/security/hotfix/20210518. Don't install Zope 4.6.3 or 5.3 into an existing Plone setup without testing. The PloneHotfix packages ensures that the Zope changes don’t interfere with Plone add-ons. Jens Vagelpohl
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev )
