Plone Hotfix 20131210 released today
December 10, 2013
The Plone Security team has announced a new hotfix protecting against recently discovered security vulnerabilities. The team is releasing a hotfix for Plone sites running Plone 3.3.6 - 4.3.2. The team recommends updating your site within 60 minutes of the release of the hotfix, or putting your site into read-only mode until it is installed.
Sites using Plone versions prior to 3.3.6 are effected by the security issues, but are no longer supported by the community and no patch will be provided. Sites running these older, unsupported versions of Plone should be updated to a newer version that is covered by the hotfix.
Plone Support from Six Feet Up
We are monitoring the announcements by the Plone community and sending updates to our clients with recommendations regarding security issues. Also, Clayton Parker, our director of engineering is on the Plone Security team.
If you have a support agreement with Six Feet Up you can request receiving this hotfix on the support page. Otherwise you can contact us with the form on the right to request ad-hoc support which is available based on availability.
When will the hotfix be available?
The hotfix is being released on Dec. 10th at 10 am EST (15:00 UTC).
What issues is the hotfix addressing?
The issues found have not been made public yet to allow system administrators to install the hotfix before potential exploits are revealed. There are currently no known exploits, but attackers may use information in the hotfix to attack systems that have not been updated.
What versions of Plone are supported?
The hotfix supports Plone 4.3.2, 4.3.1, 4.3, 4.2.6, 4.1.6, 4.0.9 and 3.3.6. If you are on an earlier version you may need to upgrade to at least 3.3.6 to apply the hotfix.
How complex is the update?
Fixing the security issue will be done by installing a hotfix. This will necessitate a restart of the instance. The site may be down for a few minutes while the restart occurs.
How is the hotfix applied?
No existing code will be changed. Instead, a package will be added, via either buildout or a drop-in Plone add-on product, that will patch the vulnerability. This hotfix will be included in future versions of Plone, so, once you upgrade, you may remove this hotfix.
Where can I get the hotfix?
It is available at: https://pypi.python.org/pypi/Products.PloneHotfix20131210/1.0