New Waitress version, and updated 20200121 hotfix
An update to Waitress, and improved SQL escaping in the 20200121 hotfix
If you use Waitress, please upgrade from 1.4.2 to 1.4.3.
The Pylons Project released a new version of Waitress to fix a bug in the regular expression that was used to parse HTTP headers. The bug could cause the waitress process to use excessive CPU.
As Plone 5.2.1 uses Waitress 1.4.2, we recommend changing the version pin to 1.4.3 in your buildout.
[versions] waitress = 1.4.3
Updated 20200121 Hotfix
As announced previously, the 20200121 hotfix includes several fixes for privilege escalation, open redirect, password strength, overwriting files, SQL injection, and cross site scripting.
Version 1.1, released on February 11, 2020, includes an update for the SQL Injection fix, which will not be needed for all installations.
If you are not using SQL in your website you do NOT need to upgrade, though you can if you want to. Default Plone does not need it. Upgrading to this version is especially recommended when you use PostgreSQL. Note that RelStorage is not affected. For details and discussion, see DocumentTemplate issue #48.
Full installation instructions are available on the HotFix release page.
Standard security advice
- Make sure that the Zope/Plone service is running with minimum privileges. Ideally, the Zope and ZEO services should be able to write only to log and data directories. Plone sites installed through our installers already do this.
- Use an intrusion detection system that monitors key system resources for unauthorized changes.
- Monitor your Zope, reverse-proxy request and system logs for unusual activity.
- Make sure your administrator stays up to date, by following the special low-volume Plone Security Announcements list via email, RSS and/or Twitter
These are standard precautions that should be employed on any production system, and are not tied to this fix.
If you do not have in-house server administrators or a service agreement for supporting your website, you can find consulting companies at plone.com/providers
There is also free support available online via the Plone forum and the Plone chat channels.
Q: When will the patch be made available?
A: The Plone Security Team released the update patch on 2020-02-11T22:47:25+0000.
Q. What will be involved in applying the patch?
A. Patches are made available as tarball-style archives that may be unpacked into the products folder of a buildout installation (for Plone 5.1.x and earlier only) and as Python packages that may be installed by editing a buildout configuration file and running buildout. Patching is generally easy and quick to accomplish.
Q: How were these vulnerabilities found?
A: The vulnerabilities were found by users submitting them to the security mailing list.
Q: My site is highly visible and mission-critical. I hear the patch has already been developed. Can I get the fix before the release date?
A: No. The patch will be made available to all administrators at the same time. There are no exceptions.
Q: If the patch has been developed already, why isn't it made available to the public now?
A: The Security Team is still testing the patch against a wide variety of configurations and running various scenarios thoroughly. The team is also making sure everybody has appropriate time to plan to patch their Plone installation(s). Some consultancy organizations have hundreds of sites to patch and need the extra time to coordinate their efforts with their clients.
Q: How does one exploit the vulnerability?
A: This information will not be made public until after the patch is made available.
Q: Is my Plone site at risk for this vulnerability? How do I know if my site has been exploited? How can I confirm that the hotfix is installed correctly and my site is protected?
A: Details about the vulnerability will be revealed at the same time as the patch.
Q: How can I report other potential security vulnerabilities?
A: Please email the Plone Security Team at email@example.com rather than publicly discussing potential security issues.
Q: How can I apply the patch without affecting my users?
A: Even though this patch does NOT require you to run buildout, you can run buildout without affecting your users. You can restart a multi-client Plone install without affecting your users; see http://docs.plone.org/manage/deploying/processes.html
Q: How do I get help patching my site?
A: Plone service providers are listed at plone.com/providers There is also free support available online via the Plone forum and the Plone chat channels
Q: Who is on the Plone Security Team and how is it funded?
A: The Plone Security Team is made up of volunteers who are experienced developers familiar with the Plone code base and with security exploits. The Plone Security Team is not funded; members and/or their employers have volunteered their time in the interests of the greater Plone community.
Q: How can I help the Plone Security Team?
A: The Plone Security Team is looking for help from security-minded developers and testers. Volunteers must be known to the Security Team and have been part of the Plone community for some time. To help the Security Team financially, your donations are most welcome at http://plone.org/sponsors
General questions about this announcement, Plone patching procedures, and availability of support may be addressed to the Plone support forums If you have specific questions about this vulnerability or its handling, contact the Plone Security Team at firstname.lastname@example.org
To report potentially security-related issues, email the Plone Security Team at email@example.com We are always happy to credit individuals and companies who make responsible disclosures.
Information for Vulnerability Database Maintainers
We will apply for CVE numbers for these issues. Further information on individual vulnerabilities (including CVSS scores, CWE identifiers and summaries) will be available at the full vulnerability list.