Security patch released: 20161129
Hotfix to patch various vulnerabilities
CVE numbers not yet issued.
Versions Affected: All supported Plone versions (4.x, 5.x). Previous versions could be affected but have not been tested.
Versions Not Affected: None.
Nature of vulnerability: the patch will address several cross site scripting (XSS) and private data exposure vulnerabilities.
The patch was released at 2016-11-29 15:00 UTC.
Full installation instructions are available on the HotFix release page.
If you do not have in-house server administrators or a website maintenance service agreement, you can find consulting companies at plone.com/providers .
Questions and Answers
What is involved in applying the patch?
Patches are made available as tarball-style archives that may be unpacked into the “products” folder of a buildout installation and as Python packages that may be installed by editing a buildout configuration file and running buildout. Patching is generally easy and quick to accomplish.
How were these vulnerabilities found?
The vulnerabilities were found by users submitting them to the security mailing list.
My site is highly visible and mission-critical. I hear the patch has already been developed. Can I get the fix before the release date?
Plone patches are always made available to all users at the same time. There are no exceptions.
How can I report other potential security vulnerabilities?
Please email the Plone Security Team at [hidden email] rather than publicly discussing potential security issues.
How can I apply the patch without affecting my users?
Even though this patch does NOT require you to run buildout, you can run buildout without affecting your users. You can restart a multi-client Plone install without affecting your users; see http://docs.plone.org/manage/deploying/processes.html
Who is on the Plone Security Team and how is it funded?
The Plone Security Team is made up of volunteers who are experienced developers familiar with the Plone code base and with security exploits. The Plone Security Team is not funded; members and/or their employers have volunteered their time in the interests of the greater Plone community.
How can I help the Plone Security Team?
The Plone Security Team is looking for help from security-minded developers and testers. Volunteers must be known to the Security Team and have been part of the Plone community for some time. To help the Security Team financially, your donations are most welcome at https://plone.org/sponsors.
General questions about this announcement, Plone patching procedures, and availability of support may be addressed to the Plone support forums . If you have specific questions about this vulnerability or its handling, contact the [hidden email]directly.
To report potentially security-related issues, e-mail the Plone Security Team directly at [hidden email] rather than publicly discussing potential security issues. We are always happy to credit individuals and companies who make responsible disclosures.
The Plone Security Team is an all-volunteer team. If you'd like to help the team, as a developer, a tester, or as a financial sponsor, please email the team at [hidden email] and become a sponsor at plone.org/sponsors
To be informed of future security patches, subscribe to the low-traffic Plone announcement list
Information for Vulnerability Database Maintainers
We have already applied for CVE numbers for these issues. Further information on individual vulnerabilities (including CVSS scores, CWE identifiers and summaries) is available at the current vulnerability list and the old vulnerability list