Zope/Plone Security Fix Issues January 13, 2010
January 13, 2010
The Zope Community (http://zope.org) issued a security fix on January 13, 2010 that affects all sites using Zope 2.8 and newer. Since all Plone sites use Zope, it is strongly recommended that this latest release be applied to your Plone site. This release of Zope addresses a potential cross-site scripting vulnerability, which, if exploited, could allow attackers to access secure data in the website. Please see http://en.wikipedia.org/wiki/Cross-site_scripting for more details.
The specific Zope update needed depends on which version of Plone you are running. See the chart below for the correct update:
If your Plone site is less than Plone 2.5, you are using Zope 2.7 and do not have a patch to apply.
Zope 2.8: http://www.zope.org/Products/Zope/2.8.12
Zope 2.9: http://www.zope.org/Products/Zope/2.9.12
Zope 2.10 = http://www.zope.org/Products/Zope/2.10.11
Before you start the upgrade to the latest Zope version, make sure you have a backup of your data.fs and/or buildout.
If you have a buildout based install then you can most likely change the download URL to point to the latest Zope version, and re-run buildout.
If you have a non-buildout based install then you need to download the latest Zope version, compile and make sure that your start up scripts and Zope configuration files are pointing to the latest Zope version.
Make sure to restart your site once the latest change is in Affect so that the new Zope is applied.
 - http://plone.org/documentation/manual/developer-manual/managing-projects-with-buildout/understanding-buildout.cfg
 - http://plone.org/documentation/kb/setup-from-source/
If you would like to have Six Feet Up perform the upgrade for your site, please email firstname.lastname@example.org with the subject line of "Zope Security Fix". We will then set up a Time and Materials contract with your organization for the work to be done.