Security patch has been released: 20160830

Hotfix to patch various vulnerabilities

CVE numbers not yet issued.

Versions Affected: All supported Plone versions (4.x, 5.x). Previous versions could be affected but have not been tested.

Versions Not Affected: None.

Nature of vulnerability: the patch will address several cross site scripting (XSS) vulnerability issues.

The patch was released at 2016-08-30 15:00 UTC.

Installation
Full installation instructions are available on the HotFix release page at https://plone.org/security/hotfix/20160830

Extra Help
If you do not have in-house server administrators or a website maintenance service agreement, you can find consulting companies at plone.com/providers .

There is also free support available online via the Plone IRC channel and the Plone community forum (here).

See the full announcement at https://plone.org/security/announcements/security-patch-released-20160830

We see that on Plone 3 the z3c.form patch does not work correctly: those forms give errors. By default Plone 3 does not use z3c.form, so you may not be affected. Plone 4 and higher are working fine. The security team is testing a fix and will likely release a 1.1 version today.

Note that Plone 3 is officially not supported under the Plone Security policy.
We are just being nice. :grinning:

1 Like

Version 1.1 was released on September 1. Please upgrade if you use Plone 3 with z3c.form.

Also, on Plone 4, version 1.1 avoids a warning that the 'user' patch cannot be applied. With version 1.0 you are still safe, because it cannot be exploited. But if you are annoyed or get nervous about the warning, then you can upgrade.

1 Like

Version 1.2 has been released today. This fixes a problem with plone.app.discussion, where deleting comments no longer worked: there was no error, but no comments were deleted either.

When you use plone.app.discussion version 2.3.2 or earlier, you should upgrade. Previous versions of the patch work fine with later versions.

Note that by default Plone 4.1.x, 4.2.x, and 4.3.x use a version of plone.app.discussion that has this problem. Some remarks:

  • If you don't have comments enabled, you don't need to update.
  • Previous versions of the hotfix may seem to work, because the comment is not shown on the page anymore. But when you reload the page, the comment is still there.
  • If you have enabled comment moderation, then for new comments you can still bulk delete them on the moderation page.

The Plone security team has released version 1.3 of the hotfix. You probably don't need to update. But if you have z3c forms that should pre fill inputs with data from a GET request, then the hotfix does not allow this. Version 1.3 offers a way around that. From the readme:

z3c.form and prefilling data

With this hotfix, we only use data from the request when the request method matches the form method. By default all forms are meant for POST requests, and in those we no longer allow prefilling data from a GET request. The same is true the other way around, we don't fill in data from POST requests in forms that expect a GET request, but that likely does not happen often.

If you have a form where this protection is not wanted, you can add an attribute allow_prefill_from_GET_request on the form and set it to a True value. If you want, you can import this attribute name from Products.PloneHotfix20160830.z3c_form.ALLOW_PREFILL. This attribute will likely be ported to the z3c.form package.

The attribute was introduced in version 1.3 of the hotfix.

2 Likes