Security patch has been released: 20161129

Hotfix to patch various vulnerabilities

CVE numbers not yet issued.

Versions Affected: All supported Plone versions (4.x, 5.x). Previous versions could be affected but have not been tested.

Versions Not Affected: None.

Nature of vulnerability: the patch will address several cross site scripting (XSS) and private data exposure vulnerabilities.

The patch was released at 2016-11-29 15:00 UTC.

Installation
Full installation instructions are available on the HotFix release page.

Extra Help
If you do not have in-house server administrators or a website maintenance service agreement, you can find consulting companies at plone.com/providers .

There is also free support available online via the Plone IRC channel and the Plone community forum.

See the full announcement

hi @tkimnguyen - could you please also update https://plone.org/security/hotfixes and add the new hotfix there?

looking... and asking someone on the Security Team to do that...

OK it's done now! We had not published the issues inside the hotfix.

There have been two minor updates to the hotfix. Latest release is now 1.2.
They are only relevant if you are using comments.
From the https://pypi.python.org/pypi/Products.PloneHotfix20161129 changelog:

1.2 (2016-11-29)

  • Handle issue where not all comments on multilingual sites were reindexed. [maurits]

1.1 (2016-11-29)

  • handle issue where the comment upgrade would fail if a comment was in the catalog but removed from the site. You only need to upgrade to this version of the patch if you get an AttributeError running the commenting patch on the site. [vangheem]

1.0 (2016-11-29)

  • Initial release

I work for a nonprofit. Our website maintenance service provider is charging us $300 to install the patch. Is this something I can do? I don't have developer experience, but I'm good at following directions. :slight_smile:

Thank you in advance for any help you may be able to offer. -Christina

Hi @christina - you'd need to be comfortable using a terminal window and command line. Volunteers are often available to help, in IRC or Gitter or Slack. However, a Plone service provider would be able to do it more quickly and would help you avoid potential pitfalls.

Thanks @tkimnguyen! How much time is generally expected for an experienced service provider?

That will depend... A lot of Plone service providers seem to be going away from per-incident support; they need a regular income source to be able to staff consistently, and so they'll have their own way of pricing "one off" tasks.

This latest patch was not difficult to install on Plone 4 and 5, but if you have unique requirements (e.g. an older Plone version, a big site with lots of content or comments) then it could get interesting.

Okay. Thanks for the help.

Updating my own sites and customer sites - usually something in the range of 8-12 Plone application servers - usually does not take me longer than 30 minutes - however there had been times with badly prepared or buggy hotfixes where it took several hours spread across days for getting things installed. Time needed depends on size of your installation, experience of your provider, level of automatization etc... 300 USD appears a lot of money but that's not more than 2 hours of paid work for support task in the IT industry - in particular for single incidents. And yes, companies need to make some money and they don't make money from spending 5 minutes installing a Plone patch on a perhaps outdated and unmaintained system.

-aj

1 Like

I would like to add that you never know what are you going to find on a deployment made by someone else and not maintained in eons.

yes, installing the patch and restarting the instances takes no more than 5 minutes on any well maintained deployment, but that could easily become a nightmare after you try to update a buildout and something breaks apart leaving you with a unusable site.

so, @christina, the moral of this story is: OSS is not cost free, specially when it comes to maintenance costs; or, as the great philosopher Robert Heinlein used to say: TANSTAAFL!

we mostly reject per-incident support and is not because of the money ($300 USD pays more than 2 hours over here), but because of the risks associated.

Thank you all! Like all of you wisely advised, it's best to pay the experts to be the experts. I was just trying to be cheap and I'm sure I would've paid for it in the end.

I know it was out of my league when I had to click the "TANSTAAFL" link. :wink:

Thanks again for all of your help and for all that you folks do!

2 Likes