Plone 5.2.3, Plone 5.1.7 and Plone 4.3.20 released!

by Maurits van Rees published 2020/11/20 08:15:00 GMT+0, last modified 2020-11-20T09:07:16+00:00
Final releases to 4.3 and 5.1 series, along with the latest 5.2.3.

General notes:

Plone 5.2.3

Plone 5.2.3 is a bug fix release of Plone 5.2.

Download Plone 5.2.3

Experienced users can update their buildout config by pointing to https://dist.plone.org/release/5.2.3/versions.cfg.

  • Linux/BSD/Unix users: Use the Unified Installer. It is a configuration and setup kit with build scripts.
  • Windows 10 users: Use the Unified Installer. See Windows-specific installation instructions. Consider using the Unified Installer within the Windows Subsystem for Linux (WSL).
  • OS X users: use the Vagrant kit or install XCode command-line tools and use the Unified Installer.
  • Automated provisioning: See Plone's Ansible Playbook for a full-stack installation kit.
  • Cross-platform Docker: install Docker and use the Plone Docker image.

For the Plone 5.2 upgrade guide, see https://docs.plone.org/manage/upgrading/

Some highlights of this release are:

  • zope.interface: Fixed potential memory leak, see https://github.com/zopefoundation/zope.interface/issues/216. Fixed inconsistent resolution orders, see https://github.com/zopefoundation/zope.interface/issues/199.
  • Zope: fixes for a few template syntax errors. HTTP header encoding support.
  • A few possible information disclosure problems in handling of XML and of ical urls were reported by MisakiKata. They have been fixed by the Plone Security Team. Since they require an attacker to already have Manager or Site Administrator rights, we decided it was not necessary to create a hotfix for this. See https://github.com/plone/Products.CMFPlone/issues/3209
  • plone.recipe.zope2instance: added options clear-untrusted-proxy-headers and max-request-body-size.
  • Products.MailHost: support messages with explicit Content-Transfer-Encoding 8bit, see https://github.com/zopefoundation/Products.MailHost/issues/30. Note: in add-ons this may require changes to the tests.
  • mockup: fix plone toolbar action links being updated only on the first navigation action in the folder_contents structure pattern.
  • plone.staticresources: updated Bootstrap Icons to 1.0.0 final.
  • plone.app.contenttypes: allow passing a custom catalog-query to migrateCustomAT to constrain which objects to migrate.
  • plone.dexterity: make sure that Dynamic schema is updated on all ZEO clients on change.
  • z3c.form/plone.app.z3cform: fixed compatibility with changed repeat syntax in Zope 4.4, see https://github.com/zopefoundation/z3c.form/issues/94.
  • Products.ATContentTypes: drop use of test() in templates, unsupported since Zope 4.4.
  • Lots of deprecation warnings fixed, especially during startup.

For detailed changelog, go to https://plone.org/download/releases/5.2.3

Plone 5.1.7

Plone 5.1.7 is a bugfix release of 5.1. Note: this is the last release in the 5.1 series.

Experienced users can update their buildout config by pointing to https://dist.plone.org/release/5.1.7/versions.cfg.

Some highlights are:

  • Integrate Plone20200121 hotfix.
  • Security: depend on Products.isurlinportal. Version 1.1.0 has hardening against white space.
  • plone.recipe.zeoserver: Windows fixes
  • mockup and plonetheme.barceloneta: various frontend fixes, including translations
  • Lots of translation updates
  • Lots of bug fixes in many packages.
  • plone.namedfile: Range support
  • plone.scale:
    The mode argument replaces the old, now deprecated, direction argument.
    The new names are contain or scale-crop-to-fit instead of down,
    cover or scale-crop-to-fill instead of up and scale instead of thumbnail.
  • plone.supermodel: added support for choices of integers for improved registry.xml export.
  • Products.PluggableAuthService: Added new events to be able to notify when a principal is added to or removed from a group.

For detailed changelog, go to https://plone.org/download/releases/5.1.7

Plone 4.3.20

Plone 4.3.20 is a bugfix release of Plone 4.3. Note: this is the last release in the 4.3 series.

Note that support for Python 2.6 was dropped a while ago. It might still work, but you should use Python 2.7.

Experienced users can update their buildout config by pointing to https://dist.plone.org/release/4.3.20/versions.cfg.

Some highlights are:

  • Integrated PloneHotfix20200121 for increased security.
  • Moved the security check if a url is in the portal to a small separate package: Products.isurlinportal. You can immediately use this on Plone 4.3 and higher. Keep an eye on updates for this package: newer versions will increase the security. Often the impact of fixes is too small to warrant a real security hotfix package, but we want to do more regular fixes here.
  • Use Products.isurlinportal 1.1.0 with security hardening against whitespace: https://github.com/plone/Products.isurlinportal/issues/1
  • Removed broken X-XSS-Protection header from classic theme and unstyled theme.
  • Products.PluggableAuthService: Added new events to be able to notify when a principal is added to or removed from a group. Notify these events when principals are added or removed to a group in ZODBGroupManager. See https://github.com/zopefoundation/Products.PluggableAuthService/issues/17
  • z3c.autoinclude: When environment variable Z3C_AUTOINCLUDE_DEBUG is set, log which packages are being automatically included.

For detailed changelog, go to https://plone.org/download/releases/4.3.20