"This hotfix corrects a vulnerability in the statusmessages and linkintegrity modules, where unsafe network data was interpreted as python pickles. This allows an attacker to run arbitrary python code within the Zope/Plone process." More information on Plone Hotfix 20071106.

The hotfix is only for Plone 2.5 and 3.0 but of course if you are running anything earlier than 2.5 you need to upgrade anyway.

Installation

To install this hotfix, login via ssh, become root and cd ~zope/instanceX/Products, X usually being 1. If you are not using our standard instance setup then you will already know where your instance is.

wget http://plone.org/products/plone-hotfix/releases/20071106/PloneHotfix20071106.tar.gz

tar xzf PloneHotfix20071106.tar.gz

chown -R zope:zope PloneHotfix20071106

rm PloneHotfix20071106.tar.gz

It's installed so now you need to restart Zope. You can do so either via the Control Panel in Zope (shutdown button) or with the below command:

zopectl restart

Be sure to login to Zope and go to Control Panel > Products where you can verify that PloneHotfix20071106 was successfully installed. If you need assistance, feel free to contact support.