Plone 6.0.0.1 released (with Zope security fix)

mauritsvanrees · December 19, 2022, 11:51pm

Release notes for Plone 6.0.0.1

Released: Monday December 19, 2022
Check the release schedule.
Read the upgrade guide, explaining the biggest changes compared to 5.2.
Canonical place for these release notes and the full packages changelog.

For technical wizards who want to jump straight in, here are two important links:

With pip you can use the constraints file at https://dist.plone.org/release/6.0.0.1/constraints.txt
With Buildout you can use the versions file at https://dist.plone.org/release/6.0.0.1/versions.cfg, plus optionally versions-extra.cfg and versions-ecosystem.cfg.

Highlights

Major changes since 6.0.0:

Zope: Security fix for a Cross Site Scripting vulnerability. See announcement. The security fix is in Zope 5.7.1, but there were a few regressions, so we use 5.7.3.
plone.protect: fix test that failed after the security fix.
plone.volto: A few textual improvements in the default created pages and the migration wizard.

Volto frontend

The default frontend for Plone 6 is Volto. Latest release is 16.5.0. See the changelog.
Note that this is a JavaScript frontend that you need to run in a separate process with NodeJS.
The Classic UI is still available when you only run the Python process.

Python compatibility

This release supports Python 3.8, 3.9, 3.10, and 3.11.

Installation

For installation instructions, see the documentation.

Issues

If you find any issues, please report them in the main issue tracker.

mactrash · December 20, 2022, 5:34pm

Thanks for all effort

Can anyone confirm "click the content tag" and check the 2nd page of the search result is wrong?

I have a report here and bug tracker for this issue, but it appears that I only have it. Anyone can do some test for it?

wesleybl · December 21, 2022, 12:42pm

https://dist.plone.org/release/6.0-latest/constraints.txt has not been update yet

mauritsvanrees · December 21, 2022, 1:07pm

On the server, 6.0-latest is a symlink that correctly points to 6.0.0.1. When I open the constraints.txt in my browser, I see Zope==5.7.3 in there, so that is correct.
Might be some caching, we have CloudFlare in front of this.

wesleybl · December 21, 2022, 5:23pm

it really was some cache. it worked now.

wesleybl · December 21, 2022, 9:08pm

I upgraded to Plone 6.0.0.1 and now I get the error:

2022-12-21 17:54:45 WARNING [plone.restapi.search.query:118][waitress-0] No such index: 'sort_on'
2022-12-21 17:54:45 WARNING [plone.restapi.search.query:118][waitress-0] No such index: 'sort_order'

When running the search:

http://localhost:8080/Plone/++api++/@search?b_size=50&metadata_fields=_all&path.depth=1&sort_on=getObjPositionInParent&sort_order=ascending

I have a 6.0.0 site that doesn't show this in the same search.

wesleybl · December 21, 2022, 9:22pm

Perhaps the error @mactrash is having could be related to the error I saw. Perhaps there is a problem with the Catalog.

davisagli · December 22, 2022, 5:34am

I think this is a regression from handle sort_on and sort_order parameters to allow both lists and strings by erral · Pull Request #1533 · plone/plone.restapi · GitHub -- there is a missing continue after line 110 in query.py, @erral

erral · December 22, 2022, 7:05am

FYI fix: add missing continue to avoid unneeded warnings in logs by erral · Pull Request #1559 · plone/plone.restapi · GitHub

I was also seeing this but I didn't remember whether I was seeing before my fix.

wesleybl · December 22, 2022, 12:36pm

@davisagli thanks for fixing this!

I have a 6.0.0 site that doesn't show this in the same search.

The 6.0.0 site I used to test this was one created with the Volto repository buildout:

github.com

plone/volto/blob/bbde60caffe019eaddd566069f1d9014c6171282/api/buildout.cfg#L3-L4


      
          extends =
              http://dist.plone.org/release/6.0.0/versions.cfg

Then I went to check, and I saw that it pins an outdated version of plone.restapi, compared to Plone 6.0.0, which does not contain the @erral change:

github.com

plone/volto/blob/bbde60caffe019eaddd566069f1d9014c6171282/api/versions.cfg#L8


      
          [versions]
          
          # Added by buildout at 2021-12-15 17:25:36.097866
          async-generator = 1.10
          collective.folderishtypes = 3.0.0
          collective.recipe.plonesite = 1.12.0
          h11 = 0.12.0
          plone.restapi = 8.32.2
          plone.volto = 4.0.0
          prompt-toolkit = 2.0.10
          pyOpenSSL = 21.0.0
          robotframework-debuglibrary = 2.2.2
          robotframework-pythonlibcore = 3.0.0
          robotframework-seleniumlibrary = 5.1.3
          trio = 0.19.0
          trio-websocket = 0.9.2
          wsproto = 1.0.0

So I thought it could be a Catalog problem used by Plone 6.0.0.1. But actually Plone 6.0.0 already has this problem, if used correct version of plone.restapi.

I understand the need for Volto to use a more recent version of plone.restapi, but when the Plone version is updated in buildout, the plone.restapi version has to be checked in versions.cfg, so it doesn't get out of date. In fact, I think that several versions.cfg pinns should be removed from there, to avoid this problem.