What about the other pins mentioned there (plone.protect, plone.keyring, plone.locking, Products.CMFQuickInstallerTool and Products.PlonePAS). Aren't they up to date for Plone 4.3.18?
As far as I know (and I seem to be right looking at http://dist.plone.org/release/4.3.18/versions.cfg) all versions are up-to- date already and the page https://plone.org/security/hotfix/20151006 needs an overhaul.
IIRC, you still need to actively include plone4.csrffixes in the buildout's instance section to enable plone.protect's automatic protection features.
With only actively include plone4.csrffixes, the following happens:
Getting distribution for 'plone4.csrffixes==1.1'.
warning: no previously-included files matching '*pyc' found anywhere in distribution
Got plone4.csrffixes 1.1.
Getting distribution for 'plone.locking==2.0.10'.
warning: no previously-included files matching '*pyc' found anywhere in distribution
Got plone.locking 2.0.10.
Getting distribution for 'plone.keyring==3.0.2'.
warning: no previously-included files matching '*pyc' found anywhere in distribution
Got plone.keyring 3.0.2.
Version and requirements information containing plone.protect:
[versions] constraint on plone.protect: 2.0.3
Requirement of plone4.csrffixes==1.1: plone.protect>=3.0.19
Requirement of Products.CMFPlone: plone.protect>1.0
While:
Installing instance.
Error: The requirement ('plone.protect>=3.0.19') is not allowed by your [versions] constraint (2.0.3)
I can see that. My question is: What is the recommended version pin for plone.protect in Plone 4.3.18 using plone4.csrffixes. And why plone.protect is pinned to 2.0.3 in http://dist.plone.org/release/4.3.18/versions.cfg?
Getting distribution for 'plone4.csrffixes==1.1'.
warning: no previously-included files matching '*pyc' found anywhere in distribution
Got plone4.csrffixes 1.1.
Getting distribution for 'plone.locking==2.0.10'.
warning: no previously-included files matching '*pyc' found anywhere in distribution
Got plone.locking 2.0.10.
Getting distribution for 'plone.keyring==3.0.2'.
warning: no previously-included files matching '*pyc' found anywhere in distribution
Got plone.keyring 3.0.2.
Getting distribution for 'plone.protect==3.1.4'.
warning: no previously-included files matching '*pyc' found anywhere in distribution
Got plone.protect 3.1.4.
Getting distribution for 'Products.PlonePAS==5.1.0'.
warning: no previously-included files matching '*.py?' found anywhere in distribution
Got Products.PlonePAS 5.1.0.
Getting distribution for 'Products.CMFQuickInstallerTool==3.0.16'.
warning: no previously-included files matching '*pyc' found anywhere in distribution
Got Products.CMFQuickInstallerTool 3.0.16.
plone4.csrffixes=1.0.9 as suggested in 20151006 doesn't work for the reasons discussed here. In Plone 4.3.18, plone4.csrffixes=1.1 is automatically installed with the correct pin. plone.protect==3.1.4 work's for me. The other pins, as Jens already said, are not necessary. plone4.csrffixes=4.1.0 (what I tested before) doesn't work because of a SyntaxError (unqualified exec is not allowed in function 'call' it contains a nested function with free variables).