The Plone security hotfix 20200121 has been released. Please see
Thanks a lot everybody!
great work! thanks to all people involved into fixing (security related) bugs and doing the release work!
Thanks for work!
https://plone.org/download/releases/5.2.1 has been updated with Plone-5.2.1-UnifiedInstaller-r2.tgz which includes PloneHotfix20200121
…wondering if I need to do the same for https://plone.org/download/releases/5.1.6 and https://plone.org/download/releases/4.3.19… probably (but not today)
I am a bit confused about this paragraph.
SQL quoting in DTML or in connection objects was insufficient, leading to possible SQL injections. This is a problem in Zope. If you use Zope without Plone, this hotfix should work for you too. Reported and fixed by Michael Brunnbauer and Michael Howitz.
You can read This is a problem in Zope.
Over at the Zope issue tracker ( What about a new release? · Issue #760 · zopefoundation/Zope · GitHub ) you can read The one fix that mentions Zope fixes addon packages, not Zope itself.
So, could anybody (maybe @icemac who fixed the problem) tell me what package is affected? Thank you!
I created an issue in CMFPlone to track getting all the fixes in core:
The SQL quoting problem needs fixes in DocumentTemplate
, Products.PythonScripts
, and Products.ZSQLMethods
(for Shared.DC.ZRDB.Connection
). Either I or someone else can prepare PRs. But the entire hotfix fixes six problems, divided over about ten packages, in various versions, so it can take a while.
And yes, I will be at the Alpine City Sprint, and Michael too, so we can talk.