{ "info": { "author": "Plone Security Team", "author_email": "security@plone.org", "bugtrack_url": null, "classifiers": [ "Framework :: Plone", "Programming Language :: Python" ], "description": "Plone hotfix, 2016-11-29\n========================\n\nThis hotfix fixes several security issues:\n\n- A user could copy a public folder containing a private document and be able to see the document in the copy.\n\n- An anonymous user could see some settings of the site by accessing widgets directly.\n This is for z3c.form widgets, which are widely used in Plone.\n\n- A comment on a private document would be partly visible in the live search.\n Access to the search result page would be denied if the results contained such a comment.\n This is for the plone.app.discussion commenting system introduced in Plone 4.1.\n See the required manual step below for further instructions.\n\n\nExtra fixes\n===========\n\n- Related: a vulnerability in DTML was discovered that could allow Cross Site Scripting attacks (XSS).\n This vulnerability is *not* fixed by this hotfix, because this was not possible.\n An exploit is hard: an attacker would need to enter a character that cannot normally be entered on a keyboard.\n On Plone 4.1 and higher, you should use DocumentTemplate 2.13.3, which was released today.\n On Plone 4.0 and lower, DocumentTemplate was included in the Zope2 code, which will not get an updated release.\n\n- The Zope Security Team fixed an issue where quoting of an SQL string could fail.\n The ZSQLMethods product is available in all Plone sites, but no core code uses it.\n An exploit is hard: an attacker would need to enter a character that cannot normally be entered on a keyboard.\n On Plone 4.0 and higher, you should use Products.ZSQLMethods 2.13.5, which was released a few weeks ago.\n On Plone 3.3 and lower, Products.ZSQLMethods was included in the Zope2 code, which will not get an updated release.\n\n\nRequired manual step\n====================\n\nThe security issue about comments on private documents needs a change in the Plone configuration.\nYou need to login as Manager and call `/@@apply-hotfix20161129` on the root of the Plone Site.\nThis will display a form.\nClick the button on the form and Plone will make a change in the workflow of comments, and reindex the security settings of comments.\n\n\nWarning about 'Update security settings' limitation\n===================================================\n\nAs a Plone administrator you may already know that you can change the settings of an existing workflow.\nIn the Zope Management Interface you can go to ``portal_workflow``, and change lots of permission settings for various states.\nWhen you are done, you click the 'Update security settings' button, and Plone goes through the database and applies the changes to individual content items.\nMostly this means: update the information in the catalog, so that items only show up on the search results page or other listings when the user is allowed to see them.\n\nFor comments this does not work: they are not found by this procedure.\nSo if you have made a change in the workflow that makes comments invisible for everybody, they may still show up in a search.\n\nThis will likely get fixed in a future release of Plone.\nAs a workaround, once you have saved the workflow changes, you can use the form on `/@@apply-hotfix20161129`.\n\nNote that in the Plone UI you can choose a different workflow for a type in the Content Settings controlpanel (or Types in earlier Plone versions).\nThis works fine for comments too, including updating the security settings.\n\n\nCompatibility\n=============\n\nThis hotfix should be applied to the following versions of Plone:\n\n* Plone 5.0.6 and any earlier 5.x version\n* Plone 4.3.11 and any earlier 4.x version\n* Any older version of Plone\n\nThe hotfix is officially supported by the Plone security team on the\nfollowing versions of Plone in accordance with the Plone\n`version support policy`_: 4.0.10, 4.1.6, 4.2.7, 4.3.11 and 5.0.6.\nHowever it has also received some testing on older versions of Plone.\nThe fixes included here will be incorporated into subsequent releases of Plone,\nso Plone 4.3.12, 5.0.7 and greater should not require this hotfix.\n\n\nInstallation\n============\n\nInstallation instructions can be found at\nhttps://plone.org/security/hotfix/20161129\n\n\nAutomated testing\n=================\n\nIf you have automated tests for your code and you want to run them in combination with this hotfix, to see if there any regressions, you should make sure the hotfix is included in your test setup.\nWith plone.app.testing it should look something like this in your test layer fixture::\n\n\n def setUpZope(self, app, configurationContext):\n from plone.testing import z2\n z2.installProduct(app, 'Products.PloneHotfix20161129')\n\nWith the old-style Products.PloneTestCase it should be like this::\n\n from Testing import ZopeTestCase\n ZopeTestCase.installProduct('PloneHotfix20161129', quiet=1)\n\n\nQ&A\n===\n\nQ: How can I confirm that the hotfix is installed correctly and my site is protected?\n A: On startup, the hotfix will log a number of messages to the Zope event log\n that look like this::\n\n 2016-11-29 08:42:11 INFO Products.PloneHotfix20161129 Applied publishing patch\n 2016-11-29 08:42:11 INFO Products.PloneHotfix20161129 Applied copy patch\n 2016-11-29 08:42:11 INFO Products.PloneHotfix20161129 Applied comments patch\n 2016-11-29 08:42:11 INFO Products.PloneHotfix20161129 You should call /@@apply-hotfix20161129 on all Plone Sites that have comments enabled.\n 2016-11-29 08:42:11 INFO Products.PloneHotfix20161129 Hotfix installed\n\n The exact number of patches applied, will differ depending on what packages you are using.\n If a patch is attempted but fails, it will be logged as a warning that says\n \"Could not apply\". This may indicate that you have a non-standard Plone\n installation.\n\nQ: How can I report problems installing the patch?\n A: Contact the Plone security team at security@plone.org, or visit the\n #plone channel on freenode IRC.\n\nQ: How can I report other potential security vulnerabilities?\n A: Please email the security team at security@plone.org rather than discussing\n potential security issues publicly.\n\n.. _`version support policy`: http://plone.org/support/version-support-policy\n\nChangelog\n=========\n\n1.2 (2016-11-29)\n----------------\n\n- Handle issue where not all comments on multilingual sites were reindexed.\n [maurits]\n\n\n1.1 (2016-11-29)\n----------------\n\n- handle issue where the comment upgrade would fail if a comment was in the\n catalog but removed from the site. You only need to upgrade to this version\n of the patch if you get an AttributeError running the commenting patch\n on the site.\n [vangheem]\n\n1.0 (2016-11-29)\n----------------\n\n- Initial release", "description_content_type": null, "docs_url": null, "download_url": "", "downloads": { "last_day": -1, "last_month": -1, "last_week": -1 }, "home_page": "https://github.com/plone", "keywords": "plone security hotfix patch", "license": "GPL", "maintainer": "", "maintainer_email": "", "name": "Products.PloneHotfix20161129", "package_url": "https://pypi.org/project/Products.PloneHotfix20161129/", "platform": "UNKNOWN", "project_url": "https://pypi.org/project/Products.PloneHotfix20161129/", "project_urls": { "Homepage": "https://github.com/plone" }, "release_url": "https://pypi.org/project/Products.PloneHotfix20161129/1.2/", "requires_dist": null, "requires_python": "", "summary": "Various Plone hotfixes, 2016-11-29", "version": "1.2" }, "last_serial": 2490033, "releases": { "1.0": [ { "comment_text": "", "digests": { "md5": "053f429abbc839ed2d988177ed9d17c6", "sha256": "bc4728faca401279f0e0b4d9a9518ad837e31f1b11ab742bbd8f252a963b70db" }, "downloads": -1, "filename": "Products.PloneHotfix20161129-1.0.tar.gz", "has_sig": false, "md5_digest": "053f429abbc839ed2d988177ed9d17c6", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 14862, "upload_time": "2016-11-29T15:01:06", "url": "https://files.pythonhosted.org/packages/68/49/c16fb2d0e2e6fb60f9f306c62a2111b23c6cdfdfc03f0599f82f7262098b/Products.PloneHotfix20161129-1.0.tar.gz" } ], "1.1": [ { "comment_text": "", "digests": { "md5": "39e28c741da08b9d06f7ab9e12ea8330", "sha256": "48081c0cdca51a984cc44cfad757b1c284f31a4618ea3526b29e110a8d82fedd" }, "downloads": -1, "filename": "Products.PloneHotfix20161129-1.1.tar.gz", "has_sig": false, "md5_digest": "39e28c741da08b9d06f7ab9e12ea8330", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 15143, "upload_time": "2016-11-29T15:32:49", "url": "https://files.pythonhosted.org/packages/73/10/313104776d042066266be33137a2e46c6ecb8a2c670020daca665a8767c5/Products.PloneHotfix20161129-1.1.tar.gz" } ], "1.2": [ { "comment_text": "", "digests": { "md5": "8587fcbbe8e08db80042ada85aed204a", "sha256": "f8d21de8cf448f56a372126c7cdceb4f5cc450bfe6702de86fdf8950268e4adf" }, "downloads": -1, "filename": "Products.PloneHotfix20161129-1.2.tar.gz", "has_sig": false, "md5_digest": "8587fcbbe8e08db80042ada85aed204a", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 15247, "upload_time": "2016-11-29T16:37:22", "url": "https://files.pythonhosted.org/packages/a2/3f/01d3b82d32a4690aee0a3e1283829d814db5853642adf4c709204fbe91e7/Products.PloneHotfix20161129-1.2.tar.gz" } ] }, "urls": [ { "comment_text": "", "digests": { "md5": "8587fcbbe8e08db80042ada85aed204a", "sha256": "f8d21de8cf448f56a372126c7cdceb4f5cc450bfe6702de86fdf8950268e4adf" }, "downloads": -1, "filename": "Products.PloneHotfix20161129-1.2.tar.gz", "has_sig": false, "md5_digest": "8587fcbbe8e08db80042ada85aed204a", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 15247, "upload_time": "2016-11-29T16:37:22", "url": "https://files.pythonhosted.org/packages/a2/3f/01d3b82d32a4690aee0a3e1283829d814db5853642adf4c709204fbe91e7/Products.PloneHotfix20161129-1.2.tar.gz" } ] }