Plone Hotfix

Hotfixes are updates for security or other issues that show up between official releases.

Project Description

Update (2014-01-09) : this information is out of date.

Hotfixes are now managed using a dedicated add-on (plone.app.vulnerabilities) and are listed at <http://plone.org/security/hotfixes/>

original text follows for reference:

These hotfix packages are temporary in nature, and should only be installed when there is a known problem affecting a specific Plone release. The rationale for these releases is to get fixes out without the overhead of a full release cycle if necessary.

Do not install these unless you know that it covers the specific problem you are experiencing with your exact version of Plone.

Most Recent Hotfix
Plone Hotfix 20130618

Released Jun 18, 2013 — tested with Plone 4.3, Plone 4.2, Plone 4.1, Plone 4, Plone 3, Plone 2.5, Plone 2.1

A hotfix for all versions of Plone <= 4.2.5 and Plone 4.3 <= 4.3. Fixes various vulnerabilities in Zope and Plone including arbitrary code execution and privilege escalation.
More about this release…

All Hotfixes

Hotfix Released Description Compatibility
20130618 Jun 18, 2013
A hotfix for all versions of Plone <= 4.2.5 and Plone 4.3 <= 4.3. Fixes various vulnerabilities in Zope and Plone including arbitrary code execution and privilege escalation.
More about this release…
Plone 4.3
Plone 4.2
Plone 4.1
Plone 4
Plone 3
Plone 2.5
Plone 2.1
20121106 Nov 06, 2012
A hotfix for all versions of Plone <= 4.2.2 and Plone 4.3 < beta 1. Fixes various vulnerabilities in Zope and Plone including arbitrary code execution and privilege escalation.
More about this release…
Plone 4.2
Plone 4.1
Plone 4
Plone 3
Plone 2.5
Plone 2.1
20110928 Oct 04, 2011
Apply to Plone 4.0.x series <= 4.0.9, 4.1(.0), 4.2 <= 4.2a2. Fixes highly serious vulnerabilities in Zope and Plone that allow execution of arbitrary code by anonymous users.
More about this release…
Plone 4.1
Plone 4
20110622 Jun 28, 2011
Apply to Plone 4.0.x series <= 4.0.7, 4.1 <= RC1, 3.x series <= 3.3.5. Fixes a highly serious vulnerability in Zope that allows unauthorized access.
More about this release…
Plone 4
Plone 3
20110531 Jun 01, 2011
Apply to Plone series 4.x <= 4.0.5, 3.x <= 3.3.5, 2.5.x. Fixes multiple vulnerabilities.
More about this release…
Plone 4
Plone 3
Plone 2.5
CVE-2011-0720 Feb 08, 2011
Apply to Plone 4.x series <= 4.0.3, 3.x series <= 3.3.5, 2.5.x series, 2.1, 2.0. Blocks an escalation of privileges attack.
More about this release…
Plone 4
Plone 3
Plone 2.5
Plone 2.1
Plone 2.0
20100612 Jun 19, 2010
Apply to Plone 3.x series <= 3.3.5, 2.5.x, 2.1. Fixes a flaw in the safe_html transform that allows arbitrary HTML to be injected into pages without being filtered.
More about this release…
Plone 3
Plone 2.5
Plone 2.1
CVE-2008-0164 May 13, 2008
This update protects security sensitive forms in Plone from cross site request forgery (CSRF) attacks. The hotfix only applies to Plone 3.0.x — Plone 3.1.x or later have this built-in, and do not need this hotfix installed. If you have older releases that you can't upgrade, please read about available workarounds.
More about this release…
Plone 3
20071106-2 Nov 18, 2007
This hotfix corrects a vulnerability in the statusmessages and linkintegrity modules, where unsafe network data was interpreted as python pickles. This allows an attacker to run arbitrary python code within the Zope/Plone process. Version 2 of the hotfix corrects several bugs found in the original release.
More about this release…
Plone 2.5
Plone 3
20071106 Nov 17, 2007
This hotfix corrects a vulnerability in the statusmessages and linkintegrity modules, where unsafe network data was interpreted as python pickles. This allows an attacker to run arbitrary python code within the Zope/Plone process.
More about this release…
Plone 2.5
Plone 3
20061031 Nov 02, 2006
PlonePAS-using Plone releases (Plone 2.5 and Plone 2.5.1) has a potential vulnerability that allows a user to masquerade as a group. Please update your sites.
More about this release…
Plone 2.5.1
Plone 2.5
CVE-2006-3458 Aug 23, 2006
Bundled installers for the Zope ReStructured Text security problem. Only required if you downloaded your Plone 2.5 release before July 11th 2006, all later releases have this included. This issue only affects installations that let untrusted users add content. On August 22 2006, a new version of the Windows installer was added, if you downloaded a prior version of the Windows Hotfix, you will need to download this new version.
More about this release…
Plone 2.5
Plone 2.1
20060518 May 18, 2006
This Hotfix applies to all versions of Plone 2. At the time of this writing these are Plone 2.0.5, 2.1.2, 2.1.3-rc1, and 2.5-beta2.
More about this release…
Plone 2.5
2006-04-10 Apr 10, 2006
This Hotfix applies to all versions of Plone 2. At the time of this writing these are Plone 2.0.5, 2.1.2, and 2.5-beta1.
More about this release…
Plone 2.5