Hotfix Error: Hotfix20110531 version 1.0 is incomplete
The Plone security team is sorry to announce that a flaw in Hotfix20110531 released on the 1st June 2011 has been found. The escalation of privileges attack was not blocked on Plone 4, despite having the fix installed.
As such, we have released version 2.0 of this fix which contains a tighter check for potential attacks, which is available at http://plone.org/products/plone-hotfix/releases/20110531. If you have already installed Hotfix20110531 on Plone 4 you need to update to version 2.0. For Plone 3.x and Plone 2.x, if Hotfix20110531 is not yet installed you should install version 2.0. If you have version 1.0 of Hotfix20110531 installed on Plone 3.x or 2.x you do not need to upgrade.
For those who used buildout to install the fix all that needs be done is for it to be re-run to pick up the latest versions.
We apologise for the inconvenience this has caused; we will be doing a postmortem on this fix to further improve our security patch release procedures in the coming weeks.