Plone 6.0.0a3 and Plone 5.2.7 Released

Releases contain a fix for a security issue with cache poisoning.

Important security fix applied

See forum post for more details and easy workaround:
https://community.plone.org/t/security-fix-for-image-view-fullscreen-cache-poisoning/14757

See also CMFPlone security advisory on GitHub.

Plone is vulnerable to reflected cross site scripting and open redirect when an attacker can get a compromised version of the image_view_fullscreen page in a cache, for example in Varnish. The technique is known as cache poisoning.
Any later visitor can get redirected when clicking on a link on this page. Usually, only anonymous users are affected, but this depends on your cache settings.

All Plone versions are vulnerable. It depends on your Plone version and the Image content type which package is vulnerable: Products.CMFPlone, plone.app.contenttypes or Products.ATContentTypes.

The Plone Security Team has released fixes for Plone 5.2:

  • plone.app.contenttypes 2.2.3 (see advisory)
  • Products.ATContentTypes 3.0.6 (see advisory. If you are on Python 3 you will not be using this package.

and for Plone 6:

  • plone.app.contenttypes 3.0.0a9 (see advisory)

Today, Plone 5.2.7 and 6.0.0a3 have been released with these updated packages. Separate announcements will follow.

If you have any questions or comments about this advisory, email us at security@plone.org. This is also the correct address to use when you want to report a possible vulnerability. See our security report policy.

Highlights of the Plone 6 Alpha 3 Release

https://plone.org/download/releases/6.0.0a3

Changes since 6.0.0a2:

  • plone.app.contenttypes: Security fix: prevent cache poisoning with the Referer header.
    See security advisory.
  • Updated the versions of the build requirements: setuptools to 59.6.0, zc.buildout to 3.0.0rc1, pip to 21.3.1.
  • Zope 5.4:

    • Add support for Python 3.10 (Plone does not have this yet).
    • WebDAV fixes.
    • https://zope.dev is now the canonical Zope developer community site.
  • plone.volto: Removed collective.folderishtypes dependency.
  • Products.CMFEditions:

    • Got rid of the skins directory. Most items in here have been moved to browser views. Some were no longer used, or had an alternative, and were removed.
    • The VersionView class is deprecated because it contained just one method that is now part of the @@plone view.
  • plone.app.linkintegrity: Track integrity of video and audio files in HTML source tags.
  • plone.app.uuid: Speed up uuidToPhysicalPath and uuidToObject.
  • plone.namedfile:

    • Make DefaultImageScalingFactory more flexible, with methods you can override.
    • Drop support for Python 2.7. Main target is now Plone 6, but we try to keep it running on Plone 5.2 with Python 3.
  • diazo: Removed FormEncode test dependency.
  • Pillow updated to 9.0.0
  • plone.app.content: Deprecate the human_readable_size method of the ContentStatusHistoryView class because the one from the @@plone view should be used.
  • plone.app.layout: Improved the Global section viewlet:

    • Catalog based navigation.
    • Allow more customization by adding methods as hooks.
    • Various performance optimizations.
    • Deprecate now unused navtree_depth property.
  • plone.app.layout: Removed deprecated methods.
  • plone.app.layout: Add viewlet to display customizable favicon. See the Site Settings.
  • Various packages: No longer use deprecated property types ulines, utext, utoken, and ustring, but their non-unicode variants, without a u at the beginning. See issue 3305.
  • plone.restapi:

    • Enhance @addons endpoint to return a list of upgradeable addons.
    • Add support for DX Plone Site root in Plone 6. Remove blocks behavior hack for site root in Plone 6.
  • Products.CMFPlacefulWorkflow: Removed the CMFPlacefulWorkflow skin layer.

Plone 6 editing experience combines the robust usability of Plone with a blazingly fast JavaScript frontend

Plone 5.2.7 released

Specific release notes for Plone 5.2.7:

Some highlights of this release are:

  • `plone.app.contenttypes` and `Products.ATContentTypes`: Security fix: prevent cache poisoning with the Referer header. See security advisory.
  • `plone.app.linkintegrity`: Track integrity of video and audio files in HTML source tags.
  • `plone.app.z3cform` and `plone.app.textfield`: Enable multiple wysiwyg editors (use default editor registry setting).
  • `plone.namedfile`: Make `DefaultImageScalingFactory` more flexible, with methods you can override.
  • `plone.app.layout`: Improved the Global section viewlet:

    • Catalog based navigation.
    • Allow more customization by adding methods as hooks.
    • Various performance optimizations.
    • Deprecate now unused navtree_depth property.
  • `diazo`: Removed `FormEncode` test dependency.
  • `plone.restapi`: Be permissive when testing the schema of the querystring endpoint.

https://plone.org/download/releases/5.2.7