Plone Hotfix 20110531 (Jun 01, 2011)
Apply to Plone series 4.x <= 4.0.5, 3.x <= 3.3.5, 2.5.x. Fixes multiple vulnerabilities.
For additional information about this project, please visit the overview page .
Available downloads
Release Notes
| Tested with | Plone 4, Plone 3, Plone 2.5 |
|---|---|
| State | Final release |
| License | GPL |
*** IMPORTANT ***: The original release of this hotfix that was made on May 31 had a critical flaw. Please make sure you are using version 2.0 of the hotfix. The Plone security team apologizes for the error.
See CVE-2011-1948, CVE-2011-1949 and CVE-2011-1950 for additional background on this hotfix. This download fixes all three issues, you do not need separate fixes for each one.
Update Instructions
If you are not using buildout, simply replace the old version of the Hotfix in your products directory with the new version.
If you have already installed version 1 of the hotfix, need to update to 2.0, and are using buildout, add Products.PloneHotfix20110531==2.0 to the eggs section. See the buildout instructions below for more details.
Installation instructions
The procedure for installing Hotfix 20110531 differs slightly based on what version of Plone you are running, and whether you installed Plone using Buildout.
Backup First!
It is prudent to backup all of your data and installation files before installing any Plone add-on, including this hotfix. If you already have a solid Plone backup routine in place, then you can skip this step and proceed.
If you don't already have a backup of your Plone site, the simplest way to back up your Plone instance is to simply copy your entire Zope instance folder or buildout folder to a secure location.
Recommended Install Procedure
If you're less experienced with Plone, the easiest way to install Hotfix 20110531 on Plone 2.5 - Plone 4 is as follows:
1) Download the hotfix archive using the link above.
2) Place the downloaded zip file into the "products" directory in your Zope instance.
3) If you have an md5 tool available (Linux or Mac) check the signature matches
- MD5 (PloneHotfix20110531-2.0.zip)
- 0dc1ff3bf323d9f63434fd69f64add26
4) Unpack the tarball.
On Linux or Mac, the command is:
$ unzip PloneHotfix20110531-2.0.zip
On Windows, use your favorite archiving product. (7Zip is a good choice.)
5) Restart your Zope instance in foreground mode to ensure that the hotfix is installed.
On Mac or Linux, the command is typically:
$ bin/instance fg
On Windows, the command is typically:
> bin\instance.exe fg
Plone 2.5 users on Windows may need to use the alternative command:
> bin\runzope.bat
Zope will start in the foreground, and you should see the message "INFO PloneHotfix20110531 Hotfix installed. " during startup.
6) Stop the foreground instance of Zope by hitting CTRL-C
7) Restart your Zope instance.
On Mac or Linux, the command is typically:
$ bin/instance start
On Windows, the command is typically:
> bin\instance.exe start
Installing with Buildout
If you are an experienced Plone administrator, and you are using a Buildout-based installation of Plone, you may choose to install Hotfix 20110531 with Buildout. However, if you choose to do this, you must be certain that you will not accidentally overwrite Plone components with newer versions. This is particularly likely if you try to use Buildout with Plone 2.5, Plone 3 or Plone 3.1.
If you are not sure what you're doing, please use the "Recommended Installation Instructions" above.
1) Find your buildout.cfg file, typically located in the "zinstance" subdirectory of your Plone installation directory.
2) Open your buildout.cfg file in your favorite text editor.
3) Scroll down to the "eggs" section of the buildout and add Products.PloneHotfix20110531, e.g.
[buildout] ... eggs = Products.PloneHotfix20110531==2.0
4) Rerun buildout.
On Mac or Linux, the command is:
$ ./bin/buildout -Nv
On windows, the command is:
> bin\buildout.exe -Nv
5) Restart your Zope instance.
On Mac or Linux, the command is:
$ ./bin/instance start
On Windows, the command is:
> bin\instance.exe start
Alternatively, on Windows, you may restart the Zope service via the Windows Services control panel.
