Hi Jürgen, Zope and Plone are still two different projects. The Plone developers published a hotfix product that fixes everything they believe needed to be fixed. I looked at items that apply to plain Zope and made the required changes in Zope.
So anyone using plain Zope can install the latest update and they are safe. As a plain Zope developer I cannot comment on or make recommendations regarding a Plone hotfix, and Zope itself will never require a Plone add-on or hotfix. I don’t have any control over how the Plone release managers communicate these fixes, either. People who do not use Plone are advised to stick to published Zope updates. jens > On 21. May 2021, at 12:25 , Jürgen Gmach <juergen.gm...@apis.de> wrote: > > Thank you very much for the fix and the new release. > > As a user of plain Zope, and having already applied PloneHotfix20210518, I > wonder whether I need or should deinstall the hotfix now. > > e.g. the hotfix also touched xmlrpc, which this new release does not. > > Or let me rephrase my question. > > What is the current recommended way to mitigate the announced vulnerabilities > for a plain Zope setup? > > Install the just released Zope version and the hotfix? Or just the latest > Zope version? > > Thank you! > Von: Zope <zope-boun...@zope.org> im Auftrag von Jens Vagelpohl > <j...@netz.ooo> > Gesendet: Freitag, 21. Mai 2021 11:12 > An: zope-annou...@zope.org <zope-annou...@zope.org>; firstname.lastname@example.org Users > <email@example.com> > Betreff: [Zope] Zope 4.6 and 5.2 released with an important security fix > > On behalf of Zope developer community I am pleased to announce the releases > of Zope 4.6 and 5.2. > > This bugfix release solves a few minor issues and also contains an important > security fix, see below. For the full list of changes see the change logs > athttps://zope.readthedocs.io/en/4.x/changes.html#id1 > andhttps://zope.readthedocs.io/en/latest/changes.html#id1 > > Installation instructions can be found at > https://zope.readthedocs.io/en/4.x/INSTALL.html and > https://zope.readthedocs.io/en/latest/INSTALL.html. > > NOTE: These releases contain a security fix that prevents remote code > execution through TAL expressions. You will only be at risk if you allow > untrusted people to add or edit Zope Page Template objects. For more details, > see the security advisory > athttps://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36. > A CVE has been requested through GitHub. > > NOTE FOR PLONE USERS: Before installing Zope 4.6 or 5.2 make sure to install > PloneHotfix20210518 first, see https://plone.org/security/hotfix/20210518. > The security changes in Zope break some Plone add-ons that relied on the old > insecure traversal behavior. PloneHotfix20210518 ensures support for those > Plone add-ons. > > Jens Vagelpohl > > _______________________________________________ > Zope maillist - Zope@zope.org > https://mail.zope.org/mailman/listinfo/zope > ** No cross posts or HTML encoding! ** > (Related lists - > https://mail.zope.org/mailman/listinfo/zope-announce > https://mail.zope.org/mailman/listinfo/zope-dev )
Description: Message signed with OpenPGP
_______________________________________________ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev )