Security patch released: 20170117
Hotfix to patch XSS and sandbox escape vulnerability
This is a routine patch with our standard 14 day notice period. There is no evidence that the issues fixed here are being used against any sites.CVE numbers: CVE-2016-7147 and one not yet issued.
Versions Affected: All supported Plone versions (4.3.11 and any earlier 4.x version, 5.0.6 and any earlier 5.x version). Previous versions could be affected but have not been fully tested.
Versions Not Affected: None.
Nature of vulnerability: the patch will address a reflected XSS vulnerability in Zope and a partial sandbox escape vulnerability available to system administrators.
Version support: The hotfix is officially supported by the Plone security team on the following versions of Plone in accordance with the Plone version support policy: 4.0.10, 4.1.6, 4.2.7, 4.3.11 and 5.0.6. However, it has also received some testing on older versions of Plone.
The fixes included here will be incorporated into subsequent releases of Plone, so Plone 4.3.12, 5.0.7 and greater should not require this hotfix.
Credit: Thanks to Tim Coen of Curesec GmbH for the responsible disclosure of the XSS vulnerability. The partial sandbox escape was found by the Plone security team, inspired by Armin Ronacher's writings on the subject.
The patch was released at 2017-01-17 15:00 UTC.
Installation
Full installation instructions are available on the HotFix release page.
Extra Help
If you do not have in-house server administrators or a website maintenance service agreement, you can find consulting companies at plone.com/providers .
There is also free support available online via the Plone chat channels and the Plone community forum.
Questions and Answers
What is involved in applying the patch?
Patches are made available as tarball-style archives that may be unpacked into the “products” folder of a buildout installation and as Python packages that may be installed by editing a buildout configuration file and running buildout. Patching is generally easy and quick to accomplish.
How were these vulnerabilities found?
The vulnerabilities were found by users submitting them to the security mailing list.
My site is highly visible and mission-critical. I hear the patch has already been developed. Can I get the fix before the release date?
Plone patches are always made available to all users at the same time. There are no exceptions.
How can I report other potential security vulnerabilities?
Please email the Plone Security Team at security@plone.org rather than publicly discussing potential security issues.
How can I apply the patch without affecting my users?
Even though this patch does NOT require you to run buildout, you can run buildout without affecting your users. You can restart a multi-client Plone install without affecting your users; see http://docs.plone.org/manage/deploying/processes.html
How do I get help patching my site?
Plone service providers are listed at plone.com/providers There is also free support available online via the Plone IRC channel and the Plone community forum.
Who is on the Plone Security Team and how is it funded?
The Plone Security Team is made up of volunteers who are experienced developers familiar with the Plone code base and with security exploits. The Plone Security Team is not funded; members and/or their employers have volunteered their time in the interests of the greater Plone community.
How can I help the Plone Security Team?
The Plone Security Team is looking for help from security-minded developers and testers. Volunteers must be known to the Security Team and have been part of the Plone community for some time. To help the Security Team financially, your donations are most welcome at https://plone.org/sponsors.
General questions about this announcement, Plone patching procedures, and availability of support may be addressed to the Plone support forums . If you have specific questions about this vulnerability or its handling, contact the Plone Security Team directly.
To report potentially security-related issues, e-mail the Plone Security Team directly at security@plone.org rather than publicly discussing potential security issues. We are always happy to credit individuals and companies who make responsible disclosures.
The Plone Security Team is an all-volunteer team. If you'd like to help the team, as a developer, a tester, or as a financial sponsor, please email the team at security@plone.org and become a sponsor at plone.org/sponsors
To be informed of future security patches, subscribe to the low-traffic Plone announcement list
Information for Vulnerability Database Maintainers
We have already applied for CVE numbers for these issues. Further information on individual vulnerabilities (including CVSS scores, CWE identifiers and summaries) is available at the current vulnerability list and the old vulnerability list