Security vulnerability pre-announcement 20200121

erral · January 8, 2020, 12:00pm

This was published earlier today:

According to it, the patch can be installed as in previous versions:

Patches are made available as tarball-style archives that may be unpacked into the products folder of a buildout installation and as Python packages that may be installed by editing a buildout configuration file and running buildout. Patching is generally easy and quick to accomplish.

But we have seen that this 'products' folder is not available in Plone 5.2 with python 3.

Can anyone confirm that this method of installing the patch is available or we will need to run buildout?

Thanks

mauritsvanrees · January 8, 2020, 2:49pm

I was not aware that the products folder no longer works. But you are right, I tried adding products = some/dir in the instance part of a buildout config on Plone 5.2, both with Python 2 and 3, and that gives an error when trying to start Plone:

Error: 'products' is not a known key name

Apparently this got removed in Zope 4.

So you are right: on Plone 5.2 you will need to run buildout.

erral · January 8, 2020, 3:10pm

Ok, so someone needs to update the installation instructions on plone.org

mauritsvanrees · January 8, 2020, 3:16pm

I already did that.