The Plone security hotfix 20200121 has been released

The Plone security hotfix 20200121 has been released. Please see

3 Likes

Thanks a lot everybody!

1 Like

great work! thanks to all people involved into fixing (security related) bugs and doing the release work!

1 Like

Thanks for work!

1 Like

https://plone.org/download/releases/5.2.1 has been updated with Plone-5.2.1-UnifiedInstaller-r2.tgz which includes PloneHotfix20200121

…wondering if I need to do the same for https://plone.org/download/releases/5.1.6 and https://plone.org/download/releases/4.3.19… probably (but not today)

I am a bit confused about this paragraph.

SQL quoting in DTML or in connection objects was insufficient, leading to possible SQL injections. This is a problem in Zope. If you use Zope without Plone, this hotfix should work for you too. Reported and fixed by Michael Brunnbauer and Michael Howitz.

You can read This is a problem in Zope.

Over at the Zope issue tracker ( https://github.com/zopefoundation/Zope/issues/760 ) you can read The one fix that mentions Zope fixes addon packages, not Zope itself.

So, could anybody (maybe @icemac who fixed the problem) tell me what package is affected? Thank you!

I created an issue in CMFPlone to track getting all the fixes in core:

The SQL quoting problem needs fixes in DocumentTemplate , Products.PythonScripts , and Products.ZSQLMethods (for Shared.DC.ZRDB.Connection ). Either I or someone else can prepare PRs. But the entire hotfix fixes six problems, divided over about ten packages, in various versions, so it can take a while.

And yes, I will be at the Alpine City Sprint, and Michael too, so we can talk.

1 Like

Plone Foundation Code of Conduct