Plone 4.3.20

There may be hotfixes applicable to this release. Always check the Plone Hotfix page before production deployment.

Release notes

LicenseGPL
Date released2020-08-25
Release managerEric Steele

Plone 4.3.20 is a bug fix release of Plone 4.3. Release Manager for this version is Maurits van Rees (despite the automated text above).

This is the last ever release of the Plone 4.3 series! You should be moving to Plone 5.2 by now. See also the release schedule: https://plone.org/download/release-schedule.

Note that support for Python 2.6 was dropped a while ago. It might still work, but you should use Python 2.7.

Installers are being made, so not all links below will work yet. Experienced users can update their buildout config by pointing to https://dist.plone.org/release/4.3.20/versions.cfg.

Linux/BSD/Unix users: Use the Unified Installer. It is a configuration and setup kit with build scripts.

Windows 10 users: use the Unified Installer. See Windows-specific installation instructions. Consider using the unified installer within the Windows Subsystem for Linux (WSL).

OS X users: use the Vagrant kit or install XCode command-line tools and use the Unified Installer.

Automated provisioning: See Plone's Ansible Playbook for a full-stack installation kit.

Cross-platform Docker: install Docker and use the Plone Docker image.

For the Plone 4.3 upgrade guide, see https://docs.plone.org/manage/upgrading/

Specific release notes for Plone 4.3.20:

Some highlights are:

  • Integrated PloneHotfix20200121 for increased security.
  • Moved the security check if a url is in the portal to a small separate package: Products.isurlinportal. You can immediately use this on Plone 4.3 and higher. Keep an eye on updates for this package: newer versions will increase the security. Often the impact of fixes is too small to warrant a real security hotfix package, but we want to do more regular fixes here.
  • Use Products.isurlinportal 1.1.0 with security hardening against whitespace: https://github.com/plone/Products.isurlinportal/issues/1
  • Removed broken X-XSS-Protection header from classic theme and unstyled theme.
  • Products.PluggableAuthService: Added new events to be able to notify when a principal is added to or removed from a group. Notify these events when principals are added or removed to a group in ZODBGroupManager. See https://github.com/zopefoundation/Products.PluggableAuthService/issues/17
  • z3c.autoinclude: When environment variable Z3C_AUTOINCLUDE_DEBUG is set, log which packages are being automatically included.

Downloads

Changes

plone.recipe.alltests: 1.5.1 → 1.5.2

Bug fixes:

  • Minor packaging updates. (#1)

plone.app.robotframework: 1.2.3 → 1.2.4

Bug fixes:

  • Reverted change in 1.2.1 for 'Log in' keyword which failed in Plone 4.3. Fixes issue 107. [maurits]

lxml: 4.2.1 → 4.2.6

Plone: 4.3.19 → 4.3.20

New features:

  • Release Plone 4.3.20. This will be the last release in the 4.3 series. See also the Plone release schedule. [maurits]

Products.Archetypes: 1.9.20 → 1.9.21

Bug fixes:

  • textcount.js support for jquery>1.6.

    make it impossible to enter text longer than maxlimit by replacing maxlimit alert() with highlighting textcountfield. [vkarppinen] (#93)

Products.CMFPlone: 4.3.19 → 4.3.20

Bug fixes:

  • Removed broken X-XSS-Protection header. [maurits] (#2964)
  • Merge Hotfix20200121: isURLInPortal could be tricked into accepting malicious links. (#3021)
  • Merge Hotfix20200121 Check of the strenth of password could be skipped. (#3021)
  • Depend on new package Products.isurlinportal. This contains the isURLInPortal method that was split off from our URLTool. See issue 3150. [maurits] (#3150)
  • Increased metadata version to 4322, to trigger Plone upgrade for Plone 4.3.20. This is the last release ever of the Plone 4.3.x line. See also the Plone release schedule. [maurits] (#3166)

Products.GenericSetup: 1.8.10 → 1.8.11

Bug fixes:

  • Force saving unpersisted changes in toolset registry. Fixes issue 86.
  • No longer test on Python 2.6.

Products.PloneLanguageTool: 3.2.9 → 3.2.10

Bug fixes:

  • Minor packaging updates. (#1)

Products.PluggableAuthService: 1.11.2 → 1.11.3

  • Add new events to be able to notify when a principal is added to or removed from a group. Notify these events when principals are added or removed to a group in ZODBGroupManager (#17)

Products.ZSQLMethods: 2.13.5 → 2.13.6

archetypes.referencebrowserwidget: 2.5.10 → 2.5.11

Bug fixes:

  • Minor packaging updates. [various] (#1)

collective.monkeypatcher: 1.2 → 1.2.1

Bug fixes:

  • Minor packaging updates. [various] (#1)

collective.z3cform.datetimewidget: 1.2.8 → 1.2.9

Bug fixes:

  • Removed compiled .mo files from repository. I will create a new release, which should still contain those, including the missing Dutch .mo file. [maurits]

plone.app.imaging: 1.0.13 → 1.0.14

Bug fixes:

  • Fix IOError: cannot write mode RGBA as JPEG on ImageField scale [avoinea]

plone.app.locales: 4.3.16 → 4.3.17

  • Backport new translations from Plone 5.2. [vincentfretin]

plone.app.querystring: 1.2.12 → 1.2.13

Bug fixes:

  • Integer criterions: try to convert all input to integers. Most notably this did not happen for unicode on Python 2. So a u"42" was passed as value to the catalog query, and this matched either all or nothing. [maurits] (#93)

plone.app.upgrade: 1.4.6 → 1.4.7

Bug fixes:

  • Added null upgrade step to 4322, the metadata version of Plone 4.3.20. [maurits] (#3166)

plone.alterego: 1.1.3 → 1.1.5

Bug fixes:

  • Minor packaging updates. (#1)
  • Minor packaging updates. [various] (#1)

plone.behavior: 1.3.0 → 1.3.2

Bug fixes:

  • Minor packaging updates. (#1)
  • Improved documentation. [jensens] (#0)

plone.contentrules: 2.0.9 → 2.0.10

Bug fixes:

  • Minor packaging updates. (#1)

plone.indexer: 1.0.6 → 1.0.7

Bug fixes:

  • Minor packaging updates. (#1)

plone.intelligenttext: 3.0.0 → 3.1.0

New features:

  • Drop Python 2.6 support from tests. Start testing on 3.7 and 3.8. [maurits] (#9)

plone.reload: 3.0.0 → 3.0.1

Bug fixes:

  • Minor packaging updates.

plone.subrequest: 1.8.6 → 1.8.7

Bug fixes:

  • Restored to 1.8.4 version. Kept only the optional Archetypes test dependency. Plone 4.3, 5,0 and 5.1 do not need the Python 3 and Zope 4 fixes, and may give errors. Plone 5.2 does not use this branch. Fixes issue 2995. [maurits]

plone.synchronize: 1.0.3 → 1.0.4

New features:

  • Drop Python 2.6 support. Support 2.7, 3.5-3.8, PyPy2/3. Added tox for local testing. [maurits] (#2)

plone.uuid: 1.0.5 → 1.0.6

Bug fixes:

  • Minor packaging updates. (#1)

plonetheme.classic: 1.5.0 → 1.5.1

Bug fixes:

  • Removed broken X-XSS-Protection header. Fixes issue 2964. [maurits]

z3c.autoinclude: 0.3.9 → 0.4.0

Breaking changes:

  • Drop support for Python 3.4.

New features:

  • When environment variable Z3C_AUTOINCLUDE_DEBUG is set, log which packages are being automatically included. Do this in a form that you can copy to a configure.zcml file.
  • Add support for Python 3.8.

collective.z3cform.datagridfield: 1.3.1 → 1.3.3

grokcore.component: 2.5 → 2.5.1

plone.app.contenttypes: 1.1.6 → 1.1.9

plone.app.event: 1.1.12 → 1.1.13

Bug fixes:

  • Fixed Spanish translations. [Corina Riba] (#0)

plone.app.lockingbehavior: 1.0.5 → 1.0.7

plone.app.referenceablebehavior: 0.7.7 → 0.7.8

Bug fixes:

  • Minor packaging updates. (#1)

plone.api: 1.10.0 → 1.10.2

Bug fixes:

  • Minor packaging updates. (#1)
  • Remove deprecation warnings [ale-rt] (#432)
  • In tests, use stronger password. [maurits] (#436)
  • Removed duplicate and failing inline doctest for content.find. [maurits] (#437)

plone.formwidget.autocomplete: 1.3.0 → 1.4.0

New features:

  • Add Plone 5 compatibility [laulaz]

plone.formwidget.contenttree: 1.1.0 → 1.2.0

New features:

  • Added Python 3 compatibility. [cekk]

plone.app.blocks: 4.3.0 → 4.3.2

Project resources

Learn about Plone