Security patch 20210518 version 1.5 released

Version 1.5 of the hotfix is available:

  • . If you grab the zip from here, please check that the version.txt contains 1.5 and/or that the md5/sha sum matches. You may get an older version from the cache. Try adding ?x=1 then.
  • PyPI

Recommended for all. From the changelog:

1.5 (2021-06-28)

  • Fixed new XSS vulnerability in folder contents on Plone 5.0 and higher.
  • Added support for environment variable STRICT_TRAVERSE_CHECK.
    • Default value is 0, which means as strict as the code from version 1.4.
    • Value 1 is very strict, the same as the stricter code introduced in Zope 5.2.1 and now taken over in Zope 4.6.2. There are known issues in Plone with this, for example in the versions history view.
    • Value 2 means: try to be strict, but if this fails we show a warning and return the found object anyway. The idea would be to use this in development or production for a while, to see which code needs a fix.
  • Fix Remote Code Execution via traversal in expressions via string formatter. This is a variant of two earlier vulnerabilities in this hotfix. This was fixed in Zope 4.6.2, which takes over the already stricter code from Zope 5.2.1.

Note: we don't usually release another version almost six weeks after the original one, and three weeks after the previous version, and including a fix for a vulnerability which was only reported last week. But this contains a fix for a close variant of one of the original vulnerabilities and needs a fix in the same code. So it seemed easiest for the security team and for Plone users who patch their sites, to release a newer version.
We sincerely hope this will be the last version, so we can close this chapter.


I have my gitlab CI/CD set to run ossaudit (python package) on a venv with Plone 5.2.4. Even with this hotfix, ossaudit is still declaring vulnerabilities on Plone 5.2.4. Is anyone on the security team familiar with this python package? I'm wondering if it's even capable of considering hotfix packages or if it's just looking at the Plone version number.

1 Like

I don't know ossaudit. I can't imagine it knows about our hotfix packages, so this is expected.

I do want to release Plone 5.2.5 this or next week (likely next), which should fix this report.


In the future, we could consider quickly creating a Plone release, with as only change the hotfix as extra dependency, plus version pin.
With all the versions of the current hotfix, we would have been at Plone at this point, though I hope this many versions remains an exception.

1 Like

Plone Foundation Code of Conduct