The Plone Security team today released the first of its scheduled, four-monthly, security hotfixes. The hotfix is available from https://plone.org/security/20131210 and is required for versions 3.3 through 4.3.2 of Plone. Older versions of Plone may benefit from installing the fix but thorough testing in your deployment is recommended before installation as it has not been tested on older versions.
Instructions for applying the hotfix along with help resources are available on the hotfix page.
This hotfix was released under a new policy under which non-urgent security fixes will be available on a regular, three-times-a-year schedule. The Security Team also debuted a new format for its hotfix and vulnerability descriptions that gives more detail on affected versions and precise vulnerabilities.
The scheduled hotfixes give site administrators advance, regular notice for the patches. If a vulnerability is being actively exploited, or is in danger of being exploited, the Security Team will issue hotfixes off schedule.
General questions about this announcement, Plone patching procedures, and availability of support may be addressed to the Plone support forums. If you have specific questions about this vulnerability or its handling, contact the Plone Security Team.
To report potentially security-related issues, e-mail the Plone Security Team at firstname.lastname@example.org. We are always happy to credit individuals and companies who make responsible disclosures.