Version 1.5 of the hotfix is available:
-
plone.org . If you grab the zip from here, please check that the
version.txt
contains 1.5 and/or that the md5/sha sum matches. You may get an older version from the cache. Try adding?x=1
then. - PyPI
Recommended for all. From the changelog:
1.5 (2021-06-28)
- Fixed new XSS vulnerability in folder contents on Plone 5.0 and higher.
- Added support for environment variable STRICT_TRAVERSE_CHECK.
- Default value is 0, which means as strict as the code from version 1.4.
- Value 1 is very strict, the same as the stricter code introduced in Zope 5.2.1 and now taken over in Zope 4.6.2. There are known issues in Plone with this, for example in the versions history view.
- Value 2 means: try to be strict, but if this fails we show a warning and return the found object anyway. The idea would be to use this in development or production for a while, to see which code needs a fix.
- Fix Remote Code Execution via traversal in expressions via string formatter. This is a variant of two earlier vulnerabilities in this hotfix. This was fixed in Zope 4.6.2, which takes over the already stricter code from Zope 5.2.1.
Note: we don't usually release another version almost six weeks after the original one, and three weeks after the previous version, and including a fix for a vulnerability which was only reported last week. But this contains a fix for a close variant of one of the original vulnerabilities and needs a fix in the same code. So it seemed easiest for the security team and for Plone users who patch their sites, to release a newer version.
We sincerely hope this will be the last version, so we can close this chapter.