From jens at plyp.com Sat Jul 31 09:55:20 2021 From: jens at plyp.com (Jens Vagelpohl) Date: Sat, 31 Jul 2021 11:55:20 +0200 Subject: [Zope-Annce] Zope 4.6.3 and 5.3 released with a security fix Message-ID: On behalf of Zope developer community I am pleased to announce the releases of Zope 4.6.3 and 5.3. This bugfix release solves a few minor issues and contains a security fix. For the full list of changes see the change logs at https://zope.readthedocs.io/en/4.x/changes.html#id1 and https://zope.readthedocs.io/en/latest/changes.html#id1 Installation instructions can be found at https://zope.readthedocs.io/en/4.x/INSTALL.html and https://zope.readthedocs.io/en/latest/INSTALL.html. These releases contain a security fix that prevents remote code execution through Script (Python) objects. You are only at risk if all of the following are true: - You use Python 3 for your Zope deployment (Zope 4 on Python 2 is not affected) - You run Zope 4 below version 4.6.3 or Zope 5 below version 5.3 - You have installed the optional Products.PythonScripts add-on package - You allow untrusted non-admin users to add or edit Script (Python) objects By default, untrusted non-admin users cannot add or edit Script (Python) objects, only ?Manager? users can. Enabling this level of access for untrusted users would be a very unusual configuration and it is highly unlikely any site administrator would do so to begin with. The related security advisories with full details are published here: - https://github.com/zopefoundation/Zope/security/advisories/GHSA-g4gq-j4p2-j8fr - https://github.com/zopefoundation/AccessControl/security/advisories/GHSA-qcx9-j53g-ccgf NOTE FOR PLONE USERS: Make sure to install the latest version of PloneHotfix20210518 first, which should appear shortly after this Zope release. See https://plone.org/security/hotfix/20210518. Don't install Zope 4.6.3 or 5.3 into an existing Plone setup without testing. The PloneHotfix packages ensures that the Zope changes don?t interfere with Plone add-ons. Jens Vagelpohl -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: Message signed with OpenPGP URL: