On behalf of Zope developer community I am pleased to announce the release of Zope 5.11.1 with several security fixes.
This bugfix release relies on waitress version 3.0.1. Version 3.0.0 suffers from two exploits, see Request processing race condition in HTTP pipelining with invalid first request · Advisory · Pylons/waitress · GitHub and DoS leading to high CPU usage/resource exhaustion · Advisory · Pylons/waitress · GitHub. If you cannot upgrade your installation to Zope 5.11.1 it is sufficient to upgrade waitress to version 3.0.1 as a workaround.
AccessControl has been updated to release 7.2. Earlier versions suffer from a security issue where anonymous users could delete all users stored in a standard Zope user folder. Only the standard user folder is affected, most deployments such as those using Plone do not use this standard user folder and are not affected. If you cannot upgrade your installation to Zope 5.11.1 it is sufficient to upgrade AccessControl to version 7.2 as a workaround.
For details of the changes see Change log - Zope 5.11.1 documentation
To install the new version see Installing Zope - Zope 5.11.1 documentation