Zope 4.8.9 and 5.8.4 released with a security fix

On behalf of the Zope developer community I am pleased to announce the releases of Zope 4.8.9 and 5.8.4.

These bugfix releases solve a few minor issues and contain a security fix. For the full list of changes see the change logs at Change log — Zope 4.8.9 documentation and Change log — Zope 5.8.4 documentation

Installation instructions can be found at Installing Zope — Zope 4.8.9 documentation and Installing Zope — Zope 5.8.4 documentation.

These releases contain a security fix for the RestrictedPython and AccessControl packages, which would allow an attacker with enough privileges to add or edit Zope objects containing code (DTML Methods and Documents, Script (Python) or Page Templates) to access Python objects outside of the Zope sandbox. Due to the high level of access privilege required - normally only administrator-level users are allowed to add or edit the affected Zope objects - the risk to Zope and Plone site maintainers is limited.

The related security advisories with full details are published here: