Hi Jürgen,
Zope and Plone are still two different projects. The Plone developers published
a hotfix product that fixes everything they believe needed to be fixed. I
looked at items that apply to plain Zope and made the required changes in Zope.
So anyone using plain Zope can install the latest update and they are safe. As
a plain Zope developer I cannot comment on or make recommendations regarding a
Plone hotfix, and Zope itself will never require a Plone add-on or hotfix. I
don’t have any control over how the Plone release managers communicate these
fixes, either. People who do not use Plone are advised to stick to published
Zope updates.
jens
> On 21. May 2021, at 12:25 , Jürgen Gmach wrote:
>
> Thank you very much for the fix and the new release.
>
> As a user of plain Zope, and having already applied PloneHotfix20210518, I
> wonder whether I need or should deinstall the hotfix now.
>
> e.g. the hotfix also touched xmlrpc, which this new release does not.
>
> Or let me rephrase my question.
>
> What is the current recommended way to mitigate the announced vulnerabilities
> for a plain Zope setup?
>
> Install the just released Zope version and the hotfix? Or just the latest
> Zope version?
>
> Thank you!
> Von: Zope im Auftrag von Jens Vagelpohl
>
> Gesendet: Freitag, 21. Mai 2021 11:12
> An: zope-announce@zope.org ; z...@zope.org Users
>
> Betreff: [Zope] Zope 4.6 and 5.2 released with an important security fix
>
> On behalf of Zope developer community I am pleased to announce the releases
> of Zope 4.6 and 5.2.
>
> This bugfix release solves a few minor issues and also contains an important
> security fix, see below. For the full list of changes see the change logs
> athttps://zope.readthedocs.io/en/4.x/changes.html#id1
> andhttps://zope.readthedocs.io/en/latest/changes.html#id1
>
> Installation instructions can be found at
> https://zope.readthedocs.io/en/4.x/INSTALL.html and
> https://zope.readthedocs.io/en/latest/INSTALL.html.
>
> NOTE: These releases contain a security fix that prevents remote code
> execution through TAL expressions. You will only be at risk if you allow
> untrusted people to add or edit Zope Page Template objects. For more details,
> see the security advisory
> athttps://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36.
> A CVE has been requested through GitHub.
>
> NOTE FOR PLONE USERS: Before installing Zope 4.6 or 5.2 make sure to install
> PloneHotfix20210518 first, see https://plone.org/security/hotfix/20210518.
> The security changes in Zope break some Plone add-ons that relied on the old
> insecure traversal behavior. PloneHotfix20210518 ensures support for those
> Plone add-ons.
>
> Jens Vagelpohl
>
> ___
> Zope maillist - z...@zope.org
> https://mail.zope.org/mailman/listinfo/zope
> ** No cross posts or HTML encoding! **
> (Related lists -
> https://mail.zope.org/mailman/listinfo/zope-announce
> https://mail.zope.org/mailman/listinfo/zope-dev )
signature.asc
Description: Message signed with OpenPGP
___
Zope-Announce maillist - Zope-Announce@zope.org
https://mail.zope.org/mailman/listinfo/zope-announce
Zope-Announce for Announcements only - no discussions
(Related lists -
Users: https://mail.zope.org/mailman/listinfo/zope
Developers: https://mail.zope.org/mailman/listinfo/zope-dev )