Thank you very much for the fix and the new release.

As a user of plain Zope, and having already applied PloneHotfix20210518, I 
wonder whether I need or should deinstall the hotfix now.

e.g. the hotfix also touched xmlrpc, which this new release does not.

Or let me rephrase my question.

What is the current recommended way to mitigate the announced vulnerabilities 
for a plain Zope setup?

Install the just released Zope version and the hotfix? Or just the latest Zope 

Thank you!
Von: Zope <> im Auftrag von Jens Vagelpohl <>
Gesendet: Freitag, 21. Mai 2021 11:12
An: <>; Users 
Betreff: [Zope] Zope 4.6 and 5.2 released with an important security fix

On behalf of Zope developer community I am pleased to announce the releases of 
Zope 4.6 and 5.2.

This bugfix release solves a few minor issues and also contains an important 
security fix, see below. For the full list of changes see the change logs at and

Installation instructions can be found at and

NOTE: These releases contain a security fix that prevents remote code execution 
through TAL expressions. You will only be at risk if you allow untrusted people 
to add or edit Zope Page Template objects. For more details, see the security 
advisory at 
A CVE has been requested through GitHub.

NOTE FOR PLONE USERS: Before installing Zope 4.6 or 5.2 make sure to install 
PloneHotfix20210518 first, see The 
security changes in Zope break some Plone add-ons that relied on the old 
insecure traversal behavior. PloneHotfix20210518 ensures support for those 
Plone add-ons.

Jens Vagelpohl
Zope maillist  -
**   No cross posts or HTML encoding!  **
(Related lists - )

Reply via email to