Security vulnerability pre-announcement 20171128

The full details are at

1 Like

I read the FAQ, but did not see whether the security patch would be included in an upcoming release of Plone. I understand it will be available as a patch, but wondered what policy there is for including it in the general release? TIA.

Hi @stevepiercy, we do not include hotfixes in upcoming releases, we do fix the underlying problem once the hotfix is published.
So the Plone Security Team will do several corresponding pull requests and package releases before the next Plone releases.

Hotfixes should not introduce any api or feature change and normally will not, so that the could be used on any supported version. One counter example was the plone4.csrffixes ( that still is optional on the Plone 4 series.

@stevepiercy if you look at and compare the 5.0.6 hotfixes that apply (there are three) and the ones needed for 5.0.7 (none) that is an example of what @loechel describes (5.0.7 had the hotfix changes applied directly)

Thanks for the clarification.

Reminder: the hotfix will be released this Tuesday, Nov. 28, 2017.

Given that the patch will be applied on many old buildouts that are not touched since ages, there is quite an high chance that we will have issues with the fact that recently PyPI dropped support for http.

I would add to the preannouncement the suggestion to modify the buildout configuration:

index =

if an error like this occurs:

Getting distribution for 'Products.PloneHotfix20171128'.
Couldn't find index page for 'Products.PloneHotfix20171128' (maybe misspelled?)
Installing instance.
Getting distribution for 'Products.PloneHotfix20171128'.
Error: Couldn't find a distribution for 'Products.PloneHotfix20171128'.

Thanks @alert - we have included that in the hotfix installation instructions

1 Like