On behalf of Zope developer community I am pleased to announce the releases of 
Zope 4.6.3 and 5.3.

This bugfix release solves a few minor issues and contains a security fix. For 
the full list of changes see the change logs at 
https://zope.readthedocs.io/en/4.x/changes.html#id1 and 

Installation instructions can be found at 
https://zope.readthedocs.io/en/4.x/INSTALL.html and 

These releases contain a security fix that prevents remote code execution 
through Script (Python) objects. You are only at risk if all of the following 
are true:

- You use Python 3 for your Zope deployment (Zope 4 on Python 2 is not affected)
- You run Zope 4 below version 4.6.3 or Zope 5 below version 5.3
- You have installed the optional Products.PythonScripts add-on package
- You allow untrusted non-admin users to add or edit Script (Python) objects

By default, untrusted non-admin users cannot add or edit Script (Python) 
objects, only “Manager” users can. Enabling this level of access for untrusted 
users would be a very unusual configuration and it is highly unlikely any site 
administrator would do so to begin with.

The related security advisories with full details are published here:

- https://github.com/zopefoundation/Zope/security/advisories/GHSA-g4gq-j4p2-j8fr

NOTE FOR PLONE USERS: Make sure to install the latest version of 
PloneHotfix20210518 first, which should appear shortly after this Zope release. 
See https://plone.org/security/hotfix/20210518. Don't install Zope 4.6.3 or 5.3 
into an existing Plone setup without testing. The PloneHotfix packages ensures 
that the Zope changes don’t interfere with Plone add-ons.

Jens Vagelpohl

Attachment: signature.asc
Description: Message signed with OpenPGP

Zope maillist  -  Zope@zope.org
**   No cross posts or HTML encoding!  **
(Related lists -
 https://mail.zope.org/mailman/listinfo/zope-dev )

Reply via email to