Zope 4.6 and 5.2 released with an important security fix

On behalf of Zope developer community I am pleased to announce the releases of Zope 4.6 and 5.2.

This bugfix release solves a few minor issues and also contains an important security fix, see below. For the full list of changes see the change logs at Change log — Zope documentation 4.5 documentation and Change log — Zope documentation 5.0 documentation

Installation instructions can be found at Installing Zope — Zope documentation 4.5 documentation and Installing Zope — Zope documentation 5.0 documentation.

NOTE: These releases contain a security fix that prevents remote code execution through TAL expressions. You will only be at risk if you allow untrusted people to add or edit Zope Page Template objects. For more details, see the security advisory at Remote Code Execution via traversal in TAL expressions · Advisory · zopefoundation/Zope · GitHub. A CVE has been requested through GitHub.

NOTE FOR PLONE USERS: Please stick with PloneHotfix20210518, see 20210518 — Plone: Enterprise Level CMS - Free and OpenSource - Community Driven - Secure. Don't install Zope 4.6 or 5.2 into an existing Plone setup without testing. The security changes in Zope break some Plone add-ons that relied on the old insecure traversal behavior. These will need to be fixed in the respective add-on product first.