You are here: Home / Plone Hotfix 20170117 Just Released.

Plone Hotfix 20170117 Just Released.

by Spokane 2600 Webmaster published Jan 18, 2017 02:48 AM, last modified Jan 18, 2017 02:48 AM
Time to run those updates Plone admins. Rare for Plone, this one is ready and released...

Hotfix to patch XSS and sandbox escape vulnerability

CVE numbers: CVE-2016-7147 and one not yet issued.

Versions Affected: All supported Plone versions (4.3.11 and any earlier 4.x version, 5.0.6 and any earlier 5.x version). Previous versions could be affected but have not been fully tested.

Versions Not Affected: None.

Nature of vulnerability: the patch will address a reflected XSS vulnerability in Zope and a partial sandbox escape vulnerability available to system administrators.

Version support: The hotfix is officially supported by the Plone security team on the following versions of Plone in accordance with the Plone version support policy: 4.0.10, 4.1.6, 4.2.7, 4.3.11 and 5.0.6. However, it has also received some testing on older versions of Plone.

The fixes included here will be incorporated into subsequent releases of Plone, so Plone 4.3.12, 5.0.7 and greater should not require this hotfix.

Credit: Thanks to Tim Coen of Curesec GmbH for the responsible disclosure of the XSS vulnerability. The partial sandbox escape was found by the Plone security team, inspired by Armin Ronacher's writings on the subject.

The patch was released at 2017-01-17 15:00 UTC.

Filed under: