20151006

20151006

Available downloads

Plone affected versions

  • 4.3.11
  • 4.3.10
  • 4.3.9
  • 4.3.8
  • 4.3.7
  • 4.3.6
  • 4.3.5
  • 4.3.4
  • 4.3.3
  • 4.3.2
  • 4.3.1
  • 4.3
  • 4.2.7
  • 4.2.6
  • 4.2.5
  • 4.2.4
  • 4.2.3
  • 4.2.2
  • 4.2.1
  • 4.2
  • 4.1.6
  • 4.1.5
  • 4.1.4
  • 4.1.3
  • 4.1.2
  • 4.1.1
  • 4.1
  • 4.0.10
  • 4.0.9
  • 4.0.8
  • 4.0.7
  • 4.0.5
  • 4.0.4
  • 4.0.3
  • 4.0.2
  • 4.0.1
  • 4.0
  • 3.3.6
  • 3.3.5
  • 3.3.4
  • 3.3.3
  • 3.3.2
  • 3.3.1
  • 3.3

Release Notes

See https://plone.org/products/plone/security/advisories/security-vulnerability-20151006-csrf for additional background on this hotfix.

This hotfix should be applied to the following versions of Plone

  • Plone 4.x, but see below for more information on 4.3.9 and higher
  • Any older version of Plone, are officially unsupported
  • Plone 5 is NOT vulnerable

Plone 4.3.9 and higher

The hotfix is partially included in Plone 4.3.9. The biggest part that is missing by default is plone.protect version 3.x. This is the part that is doing the actual automatic csrf protection. By default we stick to plone.protect version 2.x. The reason is that this can be overly aggressive, as explained in the advisory linked above. So we want inclusion of this hotfix to remain an explicit decision made by you.

The plone4.csrffixes package can still be used on Plone 4.3.9 and higher, but the fixes that it contains to avoid most of the aggressiveness have been incorporated in the core packages of Plone 4.3.9. To use the automatic csrf protection, you only need to update plone.protect to the latest version in the 3.x range.

So to include the extra protection on Plone 4.3.9 and higher, which is still recommended, open the buildout.cfg file in your editor, scroll down to the [versions] section of the buildout and add the following::

[versions]
...
plone.protect = 3.0.18

But with this version you may still notice Unauthorized errors in some javascript requests, especially when using the TinyMCE visual editor. This means you still need to add plone4.csrffixes after all:

[buildout]
...
eggs =
    ...
    plone4.csrffixes

Installation instructions

The procedure for installing Hotfix 20151006 differs from other hotfix releases as it requires you to run buildout.

Backup First!

It is prudent to backup all of your data and installation files before installing any Plone add-on, including this hotfix. If you already have a solid Plone backup routine in place, then you can skip this step and proceed.

If you don't already have a backup of your Plone site, the simplest way to back up your Plone instance is to simply copy your entire Zope instance folder or buildout folder to a secure location.

Installing with Buildout

1) Find your buildout.cfg file, typically located in the "zinstance" or "zeocluster" subdirectory of your Plone installation directory.
2) Open your buildout.cfg file in your favorite text editor.
3) Scroll down to the "eggs" section of the buildout and add plone4.csrffixes, e.g.

[buildout]
...
eggs =
    ...
    plone4.csrffixes

4) scroll down to the [versions] section of the buildout and add the following::

[versions]
...
plone4.csrffixes = 1.0.9
plone.protect = 3.0.18
plone.keyring = 3.0.1
plone.locking = 2.0.9

On versions of Plone 4.0 and 4.1, you will also likely need to add a pin for lxml:

[versions]
...
lxml = 2.3.6 

Additional versions you might have better luck with: to prevent some write on read errors that might cause false positives with the auto csrf protection, these version pins have been reported to work upgrading to:

[versions]
...
Products.CMFQuickInstallerTool = 3.0.12
Products.PlonePAS = 5.0.4

4) Rerun buildout.

On Mac or Linux, the command is:

$ ./bin/buildout -Nv

On windows, the command is:

> bin\buildout.exe -Nv

5) Restart your Zope instance.

On Mac or Linux, the command is:

$ ./bin/instance start

On Windows, the command is:

> bin\instance.exe start

Alternatively, on Windows, you may restart the Zope service via the Windows Services control panel.

Issues fixed