On behalf of Zope developer community I am pleased to announce the releases of Zope 4.8.1 and 5.5.1.
These bugfix releases attempt to address an important security issue in the waitress WSGI server software that Zope uses as default WSGI server component. Unfortunately the fixed waitress version 2.1.1 has only been released for Python versions 3.7 and higher.
Zope 4.8.1 and 5.5.1 now require the fixed waitress package IF it is running on Python 3.7 or higher. Previous Python versions do not have the security fix and we as Zope maintainers cannot provide a fixed waitress release for deployments on Python 2.7, 3.5 and 3.6.
Even though Zope 4 still supports Python 2.7, 3.5 and 3.6 and Zope 5 still supports Python 3.6 we strongly advise you to either upgrade your Zope installation to at least Python 3.7, or switch to a different WSGI server. See Configuring and Running Zope — Zope documentation 5.3 documentation for some choices.
Installation instructions can be found at Installing Zope — Zope documentation 4.6 documentation and Installing Zope — Zope documentation 5.3 documentation.
Detailed information about the waitress security issue is available at Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in waitress · Advisory · Pylons/waitress · GitHub.