[versions] section for Hotfix20151006 in Plone 4.3.18

Hi,

is there anyone who can help me with the plone csrf protection? The pins for the [versions] section given on https://plone.org/security/hotfix/20151006 are not working for Plone 4.3.18 (e.g. plone4.csrffixes = 1.0.9 should be 1.1). The problem has already been discussed here https://github.com/plone/plone.protect/issues/55

What about the other pins mentioned there (plone.protect, plone.keyring, plone.locking, Products.CMFQuickInstallerTool and Products.PlonePAS). Aren't they up to date for Plone 4.3.18?

As far as I know (and I seem to be right looking at http://dist.plone.org/release/4.3.18/versions.cfg) all versions are up-to- date already and the page https://plone.org/security/hotfix/20151006 needs an overhaul.
IIRC, you still need to actively include plone4.csrffixes in the buildout's instance section to enable plone.protect's automatic protection features.

plone.protect = 2.0.3 (on http://dist.plone.org/release/4.3.18/versions.cfg) is up-to-date?

With only actively include plone4.csrffixes, the following happens:

Getting distribution for 'plone4.csrffixes==1.1'.
warning: no previously-included files matching '*pyc' found anywhere in distribution
Got plone4.csrffixes 1.1.
Getting distribution for 'plone.locking==2.0.10'.
warning: no previously-included files matching '*pyc' found anywhere in distribution
Got plone.locking 2.0.10.
Getting distribution for 'plone.keyring==3.0.2'.
warning: no previously-included files matching '*pyc' found anywhere in distribution
Got plone.keyring 3.0.2.
Version and requirements information containing plone.protect:
  [versions] constraint on plone.protect: 2.0.3
  Requirement of plone4.csrffixes==1.1: plone.protect>=3.0.19
  Requirement of Products.CMFPlone: plone.protect>1.0
While:
  Installing instance.
Error: The requirement ('plone.protect>=3.0.19') is not allowed by your [versions] constraint (2.0.3)

A perfect error message. It suggests to pin plone.protect to 3.0.19 or use an older version of plone4.csrffixes.

I can see that. My question is: What is the recommended version pin for plone.protect in Plone 4.3.18 using plone4.csrffixes. And why plone.protect is pinned to 2.0.3 in http://dist.plone.org/release/4.3.18/versions.cfg?

We use this pinned versions:
plone4.csrffixes = 1.0.9
plone.locking = 2.0.10
plone.keyring = 3.0.1
plone.protect = 3.0.18

Thanks for the hint Michael. For me the best combination was the following:

eggs =
	plone4.csrffixes

[versions]
	plone.protect = 3.1.4
Getting distribution for 'plone4.csrffixes==1.1'.
warning: no previously-included files matching '*pyc' found anywhere in distribution
Got plone4.csrffixes 1.1.
Getting distribution for 'plone.locking==2.0.10'.
warning: no previously-included files matching '*pyc' found anywhere in distribution
Got plone.locking 2.0.10.
Getting distribution for 'plone.keyring==3.0.2'.
warning: no previously-included files matching '*pyc' found anywhere in distribution
Got plone.keyring 3.0.2.
Getting distribution for 'plone.protect==3.1.4'.
warning: no previously-included files matching '*pyc' found anywhere in distribution
Got plone.protect 3.1.4.
Getting distribution for 'Products.PlonePAS==5.1.0'.
warning: no previously-included files matching '*.py?' found anywhere in distribution
Got Products.PlonePAS 5.1.0.
Getting distribution for 'Products.CMFQuickInstallerTool==3.0.16'.
warning: no previously-included files matching '*pyc' found anywhere in distribution
Got Products.CMFQuickInstallerTool 3.0.16.

plone4.csrffixes=1.0.9 as suggested in 20151006 doesn't work for the reasons discussed here. In Plone 4.3.18, plone4.csrffixes=1.1 is automatically installed with the correct pin. plone.protect==3.1.4 work's for me. The other pins, as Jens already said, are not necessary. plone4.csrffixes=4.1.0 (what I tested before) doesn't work because of a SyntaxError (unqualified exec is not allowed in function 'call' it contains a nested function with free variables).

I think the hotfix description needs a overhaul.

Plone Foundation Code of Conduct