Plone 3.1.1 released!

The latest release in the 3.x series is ready. This release adds more portlet types, browserlayer integration, and fixes OpenID and RSS bugs. It also introduces protection against CSRF vulnerabilities in the core.

Plone 3.1 is a release that aims to make it as easy as possible to upgrade from Plone 3.0, but adds security hardening and useful infrastructure for developers. All add-on products that work on Plone 3.0 should generally work with Plone 3.1 without any changes. As usual, make sure you have a backup before you upgrade - just in case.

Major changes in Plone 3.1 include:

  • Built-in protection against "CSRF attacks":/about/security/advisories/cve-2008-0164.
  • "Collection and static text portlets are now included by default":
  • "The Unified Installer is now buildout-based": For developers:
  • "Plone now uses jQuery as its standard JS library": (in addition to the KSS framework)
  • "Latest KSS versions now ship with Plone":
  • "Add-on products now support dependencies":
  • "plone.browserlayer is now part of the standard install":
  • "Kupu now has a formlib widget":, and "formlib forms now support inline validation/editing":
  • You can now "manage portlet assignments": and "content rules": using GenericSetup
  • …and lots of bug fixes.


Windows installer as well as the Unified Installer (Linux, Mac OS X, BSD, Solaris) is available from the "Plone download page":/download as usual. Dedicated GUI installer for Mac OS X is forthcoming.

"Download Plone 3.1.1":/download Upgrading The standard Plone "upgrade procedure":/upgrade applies.

Frequently asked questions

What happened to Plone 3.1.0? -- Shortly after pushing out 3.1.0, we discovered a couple of forms that were lacking authenticators for the new CSRF protection, as well as a potential startup problem on certain setups. We decided to quickly push out an update with these fixes without officially announcing 3.1.0 to the world.

What is CSRF, and how can I protect my site? -- CSRF (aka. XSRF) stands for "Cross-Site Request Forgery":, and is a class of security vulnerabilities. For Plone 3.0-based sites, a backport of the protection mechanism used in Plone 3.1 and later is available as "Plone Hotfix CVE-2008-0164":/products/plone-hotfix/releases/CVE-2008-0164 . If you're running older Plone 2.x sites and are unable to upgrade - make sure to follow some simple rules, as outlined in the "security announcement for the CSRF issue":/about/security/advisories/cve-2008-0164. The CSRF vulnerability is not "remotely exploitable" as such, it requires you to do actions on sites that are sending malicious form data back to your own site. The attack needs to be hand-crafted for each site, so this hasn't been observed in the wild yet. Still, better safe than sorry. :-)

I noticed that the Windows installer doesn't use buildout yet, what gives? -- There wasn't enough time to create a buildout-based installer for Windows before Plone 3.1 shipped, so it has been postponed. Hopefully we can give Windows users the power of buildout with Plone 3.2. If you want buildout on Windows right now, we suggest using Ingeniweb's "Buildout-ready Python Installer": and take it from there. On Mac OS X, we recommend installing "Xcode": and using the Unified Installer if you want a buildout-based setup.

What is buildout? How can I use it? -- Refer to the "excellent tutorial on buildout": for more information.