On behalf of the Zope developer community I am pleased to announce the releases of Zope 4.8.9 and 5.8.4.
These bugfix releases solve a few minor issues and contain a security fix. For the full list of changes see the change logs at https://zope.readthedocs.io/en/4.x/changes.html#id1 and https://zope.readthedocs.io/en/latest/changes.html#id1 Installation instructions can be found at https://zope.readthedocs.io/en/4.x/INSTALL.html and https://zope.readthedocs.io/en/latest/INSTALL.html. These releases contain a security fix for the RestrictedPython and AccessControl packages, which would allow an attacker with enough privileges to add or edit Zope objects containing code (DTML Methods and Documents, Script (Python) or Page Templates) to access Python objects outside of the Zope sandbox. Due to the high level of access privilege required - normally only administrator-level users are allowed to add or edit the affected Zope objects - the risk to Zope and Plone site maintainers is limited. The related security advisories with full details are published here: - https://github.com/zopefoundation/AccessControl/security/advisories/GHSA-8xv7-89vj-q48c - https://github.com/zopefoundation/RestrictedPython/security/advisories/GHSA-xjw2-6jm9-rf67 Jens Vagelpohl
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ Zope mailing list -- [email protected] To unsubscribe send an email to [email protected] List info: https://mail.zope.dev/mailman3/lists/zope.zope.dev Archive: https://mail.zope.dev/archives/list/zope.zope.dev Old archive: https://mail.zope.dev/pipermail/zope
