The Plone security hotfix 20200121 has been released

tkimnguyen · January 21, 2020, 3:03pm

The Plone security hotfix 20200121 has been released. Please see

alert · January 21, 2020, 5:16pm

Thanks a lot everybody!

frisi · January 21, 2020, 5:19pm

great work! thanks to all people involved into fixing (security related) bugs and doing the release work!

1letter · January 21, 2020, 5:32pm

Thanks for work!

tkimnguyen · January 21, 2020, 5:39pm

https://plone.org/download/releases/5.2.1 has been updated with Plone-5.2.1-UnifiedInstaller-r2.tgz which includes PloneHotfix20200121

…wondering if I need to do the same for https://plone.org/download/releases/5.1.6 and https://plone.org/download/releases/4.3.19… probably (but not today)

jugmac00 · January 23, 2020, 1:19pm

I am a bit confused about this paragraph.

SQL quoting in DTML or in connection objects was insufficient, leading to possible SQL injections. This is a problem in Zope. If you use Zope without Plone, this hotfix should work for you too. Reported and fixed by Michael Brunnbauer and Michael Howitz.

You can read This is a problem in Zope.

Over at the Zope issue tracker ( What about a new release? · Issue #760 · zopefoundation/Zope · GitHub ) you can read The one fix that mentions Zope fixes addon packages, not Zope itself.

So, could anybody (maybe @icemac who fixed the problem) tell me what package is affected? Thank you!

mauritsvanrees · January 24, 2020, 1:13pm

I created an issue in CMFPlone to track getting all the fixes in core:

The SQL quoting problem needs fixes in DocumentTemplate , Products.PythonScripts , and Products.ZSQLMethods (for Shared.DC.ZRDB.Connection ). Either I or someone else can prepare PRs. But the entire hotfix fixes six problems, divided over about ten packages, in various versions, so it can take a while.

And yes, I will be at the Alpine City Sprint, and Michael too, so we can talk.