Zope 4.6.1 and 5.2.1 released with an important security fix

On behalf of Zope developer community I am pleased to announce the releases of Zope 4.6.1 and 5.2.1.

This bugfix release solves a few minor issues and also contains an important security fix, see below. For the full list of changes see the change logs at Change log — Zope documentation 4.5 documentation and Change log — Zope documentation 5.2 documentation

Installation instructions can be found at Installing Zope — Zope documentation 4.5 documentation and Installing Zope — Zope documentation 5.2 documentation.

NOTE: These releases contain an expanded security fix that prevents remote code execution through TAL expressions. The first iteration of the security fix in Zope 4.6 and 5.2 did not catch all cases of unauthorized TAL path expression traversal. Just like the first fix, you will only ever be at risk if you allow untrusted users to add or edit Zope Page Template objects, which is a very unusual non-standard site configuration. For more details, see the security advisory at Remote Code Execution via traversal in TAL expressions · Advisory · zopefoundation/Zope · GitHub. A CVE has been requested through GitHub.

NOTE FOR PLONE USERS: Make sure to install the latest version of PloneHotfix20210518 first, which should appear shortly after this Zope release. See 20210518 — Plone: Enterprise Level CMS - Free and OpenSource - Community Driven - Secure. Don't install Zope 4.6.1 or 5.2.1 into an existing Plone setup without testing. The security changes in Zope break some Plone add-ons that relied on the old insecure traversal behavior. PloneHotfix20210518 ensures support for those Plone add-ons.

1 Like

Version 1.4 of the hotfix is available:

  • plone.org. If you grab the zip from here, please check that the version.txt contains 1.4 and/or that the md5/sha sum matches. You may get an older version from the cache. Try adding ?x=1 then.
  • PyPI

Recommended for all. From the changelog:

1.4 (2021-06-08)

  • Use safe html transform instead of escape for richtext diff. Otherwise the inline diff is not inline anymore.
    (I forgot to add this to the changelog on PyPI/plone.org).

  • With PLONEHOTFIX20210518_NAMEDFILE_USE_DENYLIST=1 in the OS environment, use a denylist for determining which mimetypes can be displayed inline.
    By default we use an allowlist with the most used image types, plain text, and PDF.
    The denylist contains svg, javascript, and html, which have known cross site scripting possibilities.

  • By popular request, allow showing PDF files inline.
    Note: browser preference plays a part in what actually happens.

  • In untrusted path expressions with modules, check that each module is allowed.
    In the first version of the hotfix we disallowed modules that were available as a 'private' alias, for example random._itertools.
    But if random.itertools without underscore would have been available, it was still allowed, even though itertools has not been explicitly allowed.
    (itertools might be fine to allow, it is just an example.)
    This version is a recommended upgrade for all users.