it would be great to add an item to the release-checklist to make sure https://plone.org/security/hotfixes/ is always updated for new releases.
That is documented here: https://github.com/plone/buildout.coredev/blob/5.1/docs/release.rst
I was about to add a line "Update page at https://plone.org/security/hotfixes/" but I don't know how this hotfixes page can be updated. I see it is a
@@hotfixes browser view, so this is calculated.
5.0.4 is missing from the list now, which I guess is why you bring this up.
Sorry, for being late on this.
I have updated it.
@mauritsvanrees please contact me directly and I will show you how to update this in order to the process.
I have had contact with Alexander and I can now update the hotfixes page too.
I have added a line in the list of release actions:
seems release 4.3.9 is missing the reference to https://plone.org/security/20151006 (plone4.csrffixes).
Isn't that because that fix is included in this version?
I don't think so as it depends in an external package; the security team must know for sure.
You're right... it's not included by default.
4.3.8 didn't mention that fix either. I'm not hearing here that it should.
thanks maurits. this is exactly what i was asking for. the first thing i do before updating to a new release is to check if applied hotfixes can be removed. i guess others do it the same way. having up-to date information on plone.org/security/hotfixes improves the update process a lot
plone4.csrffixes remains needed on all Plone 4 versions. I have just edited the hotfixed page to let Plone 4.3.9 show this hotfix too.
Technically, plone4.csrffixes should not be needed on Plone 4.3.8 and higher, but for the full protection you would then need to update plone.protect to version 3.x. We have not managed to do this in the core development buildout, because lots and lots of tests then fail.
Some more hints over here:
Personally, I have included this hotfix on only a few sites, regardless of the exact Plone version. We did forbid access to the ZMI instead.