URGENT / ACTION REQUIRED Plone security vulnerability, hotfix 20150910

The Plone security team is releasing the following hotfix that affects all current Plone versions.

Please make arrangements to install this hotfix as soon as possible. See below for more information.



Thanks for that, works like a charm. Any special reason why this was not pre-announced?

Pre-announcement would have been nice.
If it's urgent enough to make this message, it should be urgent enough to mail people before hand.

Even the fixes for Heartbleed had a pre-announcement.
Sorry but this was suboptimal. 24 hours prior information would have been enough.


My understanding is that there was already an exploit in the wild. The issue was reported and the patch issued within a few hours.

Ideally, yes, we'd make a pre-announcement for any security releases. We made the decision not to pre-announce this hotfix because we had proof that the issue was already being exploited and because the discussion discovering the vulnerability took place in a public channel. The patch was quickly put together, tested, and released. Sitting on the finished hotfix for a day (or until the "Patch Tuesday" we've used in the past), while the vulnerability was actively being exploited was deemed to be irresponsible.

If anyone has questions about the specifics of the issue or the hotfix, please email the security team at security@plone.org. Contacting team members individually will not result in a response.


Thank you for explaining Eric!