On behalf of Zope developer community I am pleased to announce the releases of Zope 4.6.3 and 5.3.
This bugfix release solves a few minor issues and contains a security fix. For the full list of changes see the change logs at Change log — Zope documentation 4.6 documentation and Change log — Zope documentation 5.3 documentation
Installation instructions can be found at Installing Zope — Zope documentation 4.6 documentation and Installing Zope — Zope documentation 5.3 documentation.
These releases contain a security fix that prevents remote code execution through Script (Python) objects. You are only at risk if all of the following are true:
- You use Python 3 for your Zope deployment (Zope 4 on Python 2 is not affected)
- You run Zope 4 below version 4.6.3 or Zope 5 below version 5.3
- You have installed the optional Products.PythonScripts add-on package
- You allow untrusted non-admin users to add or edit Script (Python) objects
By default, untrusted non-admin users cannot add or edit Script (Python) objects, only “Manager” users can. Enabling this level of access for untrusted users would be a very unusual configuration and it is highly unlikely any site administrator would do so to begin with.
The related security advisories with full details are published here:
- Remote Code Execution via Script (Python) objects under Python 3 · Advisory · zopefoundation/Zope · GitHub
- Remote Code Execution via unsafe classes in otherwise permitted modules · Advisory · zopefoundation/AccessControl · GitHub
NOTE FOR PLONE USERS: Make sure to install the latest version of PloneHotfix20210518 first, which should appear shortly after this Zope release. See 20210518 — Plone: Enterprise Level CMS - Free and OpenSource - Community Driven - Secure. Don't install Zope 4.6.3 or 5.3 into an existing Plone setup without testing. The PloneHotfix packages ensures that the Zope changes don’t interfere with Plone add-ons.