Security patch 20210518 version 1.5 released
Version 1.5 of the hotfix to patch various vulnerabilities. This hotfix is recommended for Plone 4.3, 5.0, 5.1 and 5.2.
This is a routine patch. There is no evidence that the issues fixed here are being used against any sites.
Version 1.5 of the hotfix is available from:
- https://plone.org/security/hotfix/20210518 – if you grab the zip from here, please check that the version.txt contains 1.5 and/or that the md5/sha sum matches. You may get an older version from the cache. Try adding ?x=1 to the URL if this happens.
- https://pypi.org/project/Products.PloneHotfix20210518/
This version is a recommended upgrade for all users.
Zope users are advised to upgrade to Zope 4.6.1 or 5.2.1. If this is not possible, you can try this new version of the hotfix.
See the original 20210518 hotfix announcement
From the changelog:
1.5 (2021-06-28)
- Fixed new XSS vulnerability in folder contents on Plone 5.0 and higher.
Added support for environment variable STRICT_TRAVERSE_CHECK.
- Default value is 0, which means as strict as the code from version 1.4.
- Value 1 is very strict, the same as the stricter code introduced in Zope 5.2.1 and now taken over in Zope 4.6.2. There are known issues in Plone with this, for example in the versions history view.
- Value 2 means: try to be strict, but if this fails we show a warning and return the found object anyway. The idea would be to use this in development or production for a while, to see which code needs a fix.
- Fix Remote Code Execution via traversal in expressions via string formatter. This is a variant of two earlier vulnerabilities in this hotfix. This was fixed in Zope 4.6.2, which takes over the already stricter code from Zope 5.2.1.
Note: we don't usually release another version almost six weeks after the original one, and three weeks after the previous version, and including a fix for a vulnerability which was only reported last week. However, this contains a fix for a close variant of one of the original vulnerabilities and needs a fix in the same code, so it seemed easiest for the security team and for Plone users who patch their sites to release a newer version.