Zope 4.6.3 and 5.3 released with a security fix

On behalf of Zope developer community I am pleased to announce the releases of Zope 4.6.3 and 5.3.

This bugfix release solves a few minor issues and contains a security fix. For the full list of changes see the change logs at Change log — Zope documentation 4.6 documentation and Change log — Zope documentation 5.3 documentation

Installation instructions can be found at Installing Zope — Zope documentation 4.6 documentation and Installing Zope — Zope documentation 5.3 documentation.

These releases contain a security fix that prevents remote code execution through Script (Python) objects. You are only at risk if all of the following are true:

  • You use Python 3 for your Zope deployment (Zope 4 on Python 2 is not affected)
  • You run Zope 4 below version 4.6.3 or Zope 5 below version 5.3
  • You have installed the optional Products.PythonScripts add-on package
  • You allow untrusted non-admin users to add or edit Script (Python) objects

By default, untrusted non-admin users cannot add or edit Script (Python) objects, only “Manager” users can. Enabling this level of access for untrusted users would be a very unusual configuration and it is highly unlikely any site administrator would do so to begin with.

The related security advisories with full details are published here:

NOTE FOR PLONE USERS: Make sure to install the latest version of PloneHotfix20210518 first, which should appear shortly after this Zope release. See 20210518 — Plone: Enterprise Level CMS - Free and OpenSource - Community Driven - Secure. Don't install Zope 4.6.3 or 5.3 into an existing Plone setup without testing. The PloneHotfix packages ensures that the Zope changes don’t interfere with Plone add-ons.

3 Likes

I have released version 1.6 of the Plone hotfix. Only needed on Plone 5.2 with Python 3, but installing it on older versions is safe too.

Alternatively, on Plone 5.2 it is also fine to upgrade AccessControl to version 4.3. But you must have at least version 1.5 of the hotfix included, to avoid other problems.

Plone Foundation Code of Conduct