The Plone security hotfix 20200121 has been released. Please see
Thanks a lot everybody!
great work! thanks to all people involved into fixing (security related) bugs and doing the release work!
Thanks for work!
https://plone.org/download/releases/5.2.1 has been updated with Plone-5.2.1-UnifiedInstaller-r2.tgz which includes PloneHotfix20200121
I am a bit confused about this paragraph.
SQL quoting in DTML or in connection objects was insufficient, leading to possible SQL injections. This is a problem in Zope. If you use Zope without Plone, this hotfix should work for you too. Reported and fixed by Michael Brunnbauer and Michael Howitz.
You can read This is a problem in Zope.
Over at the Zope issue tracker ( https://github.com/zopefoundation/Zope/issues/760 ) you can read The one fix that mentions Zope fixes addon packages, not Zope itself.
So, could anybody (maybe @icemac who fixed the problem) tell me what package is affected? Thank you!
I created an issue in CMFPlone to track getting all the fixes in core:
The SQL quoting problem needs fixes in
Products.PythonScripts , and
Shared.DC.ZRDB.Connection ). Either I or someone else can prepare PRs. But the entire hotfix fixes six problems, divided over about ten packages, in various versions, so it can take a while.
And yes, I will be at the Alpine City Sprint, and Michael too, so we can talk.