20151006

20151006

Available downloads

Plone affected versions

  • 4.3.18
  • 4.3.17
  • 4.3.15
  • 4.3.14
  • 4.3.12
  • 4.3.11
  • 4.3.10
  • 4.3.9
  • 4.3.8
  • 4.3.7
  • 4.3.6
  • 4.3.5
  • 4.3.4
  • 4.3.3
  • 4.3.2
  • 4.3.1
  • 4.3
  • 4.2.7
  • 4.2.6
  • 4.2.5
  • 4.2.4
  • 4.2.3
  • 4.2.2
  • 4.2.1
  • 4.2
  • 4.1.6
  • 4.1.5
  • 4.1.4
  • 4.1.3
  • 4.1.2
  • 4.1.1
  • 4.1
  • 4.0.10
  • 4.0.9
  • 4.0.8
  • 4.0.7
  • 4.0.5
  • 4.0.4
  • 4.0.3
  • 4.0.2
  • 4.0.1
  • 4.0
  • 3.3.6
  • 3.3.5
  • 3.3.4
  • 3.3.3
  • 3.3.2
  • 3.3.1
  • 3.3

Release Notes

This is not a downloadable hotfix. The procedure for installing Hotfix 20151006 differs from other hotfix releases as it requires you to run buildout.

This hotfix should be applied to the following versions of Plone

  • Plone 4.x, but see below for more information on 4.3.9 and higher
  • Any older version of Plone, are officially unsupported
  • Plone 5 is NOT vulnerable

Plone 4.3.9 and higher

The hotfix is partially included in Plone 4.3.9. The biggest part that is missing by default is plone.protect version 3.x. This is the part that is doing the actual automatic csrf protection. By default we stick to plone.protect version 2.x. The reason is that this can be overly aggressive, as explained in the advisory linked above. So we want inclusion of this hotfix to remain an explicit decision made by you. If you want the hotfix protection on any Plone 4.3.x site without too many problems, you will always have to include plone4.csrffixes. This is too invasive to ever get merged in the core Plone 4.3 code. It won't happen.

Also see Security vulnerability: 20151006 - CSRF for more information.

Installation instructions

The procedure for installing Hotfix 20151006 differs from other hotfix releases as it requires you to run buildout. This is not a downloadable hotfix.

Backup First!

It is prudent to backup all of your data and installation files before installing any Plone add-on, including this hotfix. If you already have a solid Plone backup routine in place, then you can skip this step and proceed.

If you don't already have a backup of your Plone site, the simplest way to back up your Plone instance is to simply copy your entire Zope instance folder or buildout folder to a secure location.

Installing with Buildout

1) Find your buildout.cfg file, typically located in the "zinstance" or "zeocluster" subdirectory of your Plone installation directory. 2) Open your buildout.cfg file in your favorite text editor. 3) Scroll down to the "eggs" section of the buildout and add plone4.csrffixes, e.g.

[buildout]
...
eggs =
    ...
    plone4.csrffixes

4) scroll down to the [versions] section of the buildout and add the following::

[versions]
...
plone4.csrffixes = 1.0.9
plone.protect = 3.1.4
plone.keyring = 3.0.2
plone.locking = 2.0.10

(Note: there might be a newer version in the 3.x range. See pypi.org.)

On versions of Plone 4.0 and 4.1, you will also likely need to add a pin for lxml:

[versions]
lxml = 2.3.6

Additional versions you might have better luck with: to prevent some write on read errors that might cause false positives with the auto csrf protection, these version pins have been reported to work upgrading to:

[versions]
...
Products.CMFQuickInstallerTool = 3.0.12
Products.PlonePAS = 5.0.4

4) Rerun buildout.

On Mac or Linux, the command is:

$ ./bin/buildout -Nv

On windows, the command is:

> bin\buildout.exe -Nv

5) Restart your Zope instance.

On Mac or Linux, the command is:

$ ./bin/instance start

On Windows, the command is:

> bin\instance.exe start

Alternatively, on Windows, you may restart the Zope service via the Windows Services control panel.

Issues fixed