On behalf of Zope developer community I am pleased to announce the release of Zope 5.11.1 with several security fixes.
This bugfix release relies on waitress version 3.0.1. Version 3.0.0 suffers from two exploits, see https://github.com/Pylons/waitress/security/advisories/GHSA-9298-4cf8-g4wj and https://github.com/Pylons/waitress/security/advisories/GHSA-3f84-rpwh-47g6. If you cannot upgrade your installation to Zope 5.11.1 it is sufficient to upgrade waitress to version 3.0.1 as a workaround. AccessControl has been updated to release 7.2. Earlier versions suffer from a security issue where anonymous users could delete all users stored in a standard Zope user folder. Only the standard user folder is affected, most deployments such as those using Plone do not use this standard user folder and are not affected. If you cannot upgrade your installation to Zope 5.11.1 it is sufficient to upgrade AccessControl to version 7.2 as a workaround. For details of the changes see https://zope.readthedocs.io/en/latest/changes.html To install the new version see https://zope.readthedocs.io/en/latest/INSTALL.html Jens Vagelpohl _______________________________________________ Zope mailing list -- [email protected] To unsubscribe send an email to [email protected] List info: https://mail.zope.dev/mailman3/lists/zope.zope.dev Archive: https://mail.zope.dev/archives/list/zope.zope.dev Old archive: https://mail.zope.dev/pipermail/zope
