Clarity on 5.2.14 security update

Question / Clarification here: Plone Security Advisory 20230921

If one is using the 5.2.14 versions pin with:

plone.rest = 1.6.2
plone.restapi = 7.8.3

And is not using plone.restapi 8. - can these 'rest' pins remain at the 5.2.14 plone version pin and still satisfy the security fix?

All of these versions are satisfied:

AccessControl = 4.4
plone.namedfile = 5.6.1
RestrictedPython = 5.4
Zope = 4.8.10

Yes, those pins are fine:

  • The plone.rest advisory says that the 1.x branch is not affected. From the top of my head: I think the vulnerable ++api++ traverser was introduced only in version 2.
  • The plone.restapi advisory says that only version 8 is vulnerable, so not version 7.
1 Like