Plone 5.2.14 has been released
Important security updates. Please update to Plone 5.2.14 if you are running an earlier version of Plon 5.2 when possible.
Plone 5.2.14 is planned to be the last regular release of Plone 5.2. This release was originally planned for October, but we moved it forward to have the security fixes in a full release. If there are good reasons, we can still make a new release. After October 2023, Plone 5.2 is out of maintenance support. There is still one year of security support, until October 31, 2024. At that moment, even Python 3.8 is out of security support by the Python community.
If you cannot update to Plone 5.2.14, please check the separate Plone Security Advisory 20230921 that has detailed instructions on which packages you should update in your deployment set up.
Security fixes in Plone 5.2.14
There are three different areas where security related issues were found and resolved:
- The Zope application server has received two patches where users capable of adding/edting script code could escape the sandbox. Due to the high level of access privilege required - normally only administrator-level users are allowed to add or edit the affected Zope objects - the risk to Zope and Plone site maintainers is limited. See the community announcement.
++api++traverser is accidentally used multiple times in a url, handling it takes increasingly longer, making the server less responsive, triggering a possible Denial of Service.
- There is a stored cross site scripting vulnerability for SVG images. A security hotfix from 2021 already partially fixed this, by making sure SVG images are always downloaded instead of shown inline. But the same problem still exists for scales of SVG images. And it exists for user portraits, both in Volto and ClassicUI.
Again, if you cannot update to Plone 5.2.14, which has all these issues fixed in the constraints files or known good set of packages, please check the Plone Security Advisory 20230921 for instructions on how to patch earlier supported versions of Plone 5.2 or (Plone 6.0).
Fixes for Indonesian in a multilingual site. Fix
set_recursive_language function in plone.app.multilingual to actually find child objects.
A memory leak was fixed in plone.dexterity. For details see issue 3829. The included Bootstrap CSS library for Classic-UI frontends was updated to Bootstrap 5.3.2. In Mockup several fixes were made in the pat-structure and the pat-tinymce pattern.
This release supports Python 2.7 and 3.8. Python 3.6 and 3.7 should still work, but these are end of life and no longer supported.
Plone 5.2 still supports Python 2.7, but this is end-of-life since 2020. It should only be used as a temporary stepping stone before you migrate your Plone site to Python 3.
Consider and start planning your upgrade to the Plone 6 series
(if you haven't done so already)
As documented above, this is the last or one of the last patch releases for Plone 5.2 . From the end of October 2024 , Plone 5.2 will be out of official support by the Plone Community and its development team. Your Plone provider, integrator or support company might still be able to offer extended support, as also sometimes is the case with other software products and stacks.
But this will not be an ideal situation for long future support. The efficiency and cost effectiveness of such an agreement instead of upgrading to the Plone 6 series is difficult to estimate or make general claims about. You can migrate your Plone 5.2 website to Plone 6 with the new React based "Volto' frontend, where your current stack provides a REST-api based backend. Or you can choose to upgrade to Plone 6 Classic UI. Both have certain advantages and disadvantages that are best discussed with your current or another Plone Provider near you.