Security patch released: 20160419
CVE numbers not yet issued.
Versions Affected: All supported Plone versions (4.x, 5.x). Previous versions could be affected but have not been tested.
Versions Not Affected: None.
Nature of vulnerability: Patches multiple attack vectors.
This patch is compatible with all supported Plone versions (i.e. Plone 4, Plone 5). It may work on earlier versions of Plone, but as these are officially unsupported they have not undergone the same level of testing with the patch.
Full installation instructions are available on the HotFix release page.
The Plone Security Team is grateful to Giovanni Monteiro Calanzani and Glauter de Sousa Vilela, who reported the vulnerability.
Questions and Answers
What is involved in applying the patch?
Patches are made available as tarball-style archives that may be unpacked into the “products” folder of a buildout installation and as Python packages that may be installed by editing a buildout configuration file and running buildout. Patching is generally easy and quick to accomplish.
How were these vulnerabilities found?
The vulnerabilities were found by users submitting them to the security mailing list.
My site is highly visible and mission-critical. I hear the patch has already been developed. Can I get the fix before the release date?
Plone patches are always made available to all users at the same time. There are no exceptions.
How can I report other potential security vulnerabilities?
Please email the Plone Security Team at [hidden email] rather than publicly discussing potential security issues.
How can I apply the patch without affecting my users?
Even though this patch does NOT require you to run buildout, you can run buildout without affecting your users. You can restart a multi-client Plone install without affecting your users; see http://docs.plone.org/manage/deploying/processes.html
How do I get help patching my site?
Plone service providers are listed at plone.com/providers and plone.org/support/network There is also free support available online via the Plone IRC channel and the Plone community forum.
Who is on the Plone Security Team and how is it funded?
The Plone Security Team is made up of volunteers who are experienced developers familiar with the Plone code base and with security exploits. The Plone Security Team is not funded; members and/or their employers have volunteered their time in the interests of the greater Plone community.
How can I help the Plone Security Team?
The Plone Security Team is looking for help from security-minded developers and testers. Volunteers must be known to the Security Team and have been part of the Plone community for some time. To help the Security Team financially, your donations are most welcome at http://plone.org/donate.
General questions about this announcement, Plone patching procedures, and availability of support may be addressed to the Plone support forums . If you have specific questions about this vulnerability or its handling, contact the [hidden email]directly.
To report potentially security-related issues, e-mail the Plone Security Team directly at [hidden email] rather than publicly discussing potential security issues. We are always happy to credit individuals and companies who make responsible disclosures.
The Plone Security Team is an all-volunteer team. If you'd like to help the team, as a developer, a tester, or as a financial sponsor, please email the team at [hidden email] and become a sponsor at plone.org/donate
Information for Vulnerability Database Maintainers
We have already applied for CVE numbers for these issues. Further information on individual vulnerabilities (including CVSS scores, CWE identifiers and summaries) is available at the full vulnerability list