Plone 6.0.7 released
Important security updates, performance improvements and many small bugs fixed. Please update to Plone 6.0.7 when possible.
After three months since the last patch release for Plone 6 just before summer, Plone 6.0.7 has important security fixes, functional and performance improvements.
If you are running any previous version of Plone 6.0, please consider upgrading to Plone 6.0.7 on short notice. If this is not feasible, please check the separate Plone Security Advisory 20230921 that has detailed instructions on which packages you should update in your deployment set up.
Security fixes in Plone 6.0.7
There are three different areas where security related issues were found and resolved:
- The Zope application server has received two patches where users capable of adding/edting script code could escape the sandbox. Due to the high level of access privilege required - normally only administrator-level users are allowed to add or edit the affected Zope objects - the risk to Zope and Plone site maintainers is limited. See the community announcement.
++api++traverser is accidentally used multiple times in a url, handling it takes increasingly longer, making the server less responsive, triggering a possible Denial of Service.
- There is a stored cross site scripting vulnerability for SVG images. A security hotfix from 2021 already partially fixed this, by making sure SVG images are always downloaded instead of shown inline. But the same problem still exists for scales of SVG images. And it exists for user portraits, both in Volto and ClassicUI.
Again, if you cannot update to Plone 6.0.7, which has all these issues fixed in the constraints files or known good set of packages, please check the Plone Security Advisory 20230921 for instructions on how to patch earlier supported versions of Plone 6.0 or Plone 5.2.
Other generic improvements
Image modification times - Images are stored in so-called image fields on content. The News Item is an example, and the Image content type is a special purpose CT to store an image. Up until now, the modification date of an Image field in the content type used the modification date of the content item. This can lead to issues for image scales, where the hashes for the scale urls are calculated using the modifiation date.
Fixes for Indonesian in a multilingual site. Fix
set_recursive_language function in plone.app.multilingual to actually find child objects.
A memory leak was fixed in plone.dexterity. For details see issue 3829. The included Bootstrap CSS library for Classic-UI frontends was updated to Bootstrap 5.3.2. In Mockup several fixes were made in the pat-structure and the pat-tinymce pattern.
Specific updates in the Plone backend for use in combination with the Volto frontend: a block_types index was added to the ZCatalog. By default it is only added for new Plone sites. To add it to an existing site, run plone.volto.upgrades.add_block_types_index manually. In plone.restapi several improvements were made to the handling of image_scales in block data and there is a new convenience function visit_blocks for finding all nested blocks on a layout.
These are only some of the many small improvements - see the detailed release notes for Plone 6.0.7 to read the full list of changes made in all Plone packages.
Volto Frontend improvements
The default frontend for new Plone 6 sites is Volto. Latest 'bundled' release of Volto for Plone 6.0.7 is Volto version 16.24.0
- Seach block number count, spinner feedback, disable search button temporarily and facet and search data updates while loading or using the back button (multiple issues)
- User control panel fixes
- Content rule settings for non-English languages
- Navigation for folders inside navigation roots
- Editing layout fixes for blocks with Schema Enhancers
- Updates Spanish translations