Plone 3.0.6 is out. This is a bug-fix release. If you are affected by one of the bugs that it fixes, it would be a good idea to upgrade, otherwise there appears to be no rush. If you wish to upgrade, please file a support ticket.

If you're still using Plone 2.5.4 or 3.0.2 then you needed Plone Hotfix 20071106 back in November. But now there is a hotfix out for this hotfix, Plone Hotfix 20071106-2, to fix a vulnerability in the original hotfix. If you're not confused, and you're running Plone 2.5.4 or earlier, or Plone 3.0.2 or earlier, then please file a support ticket so we can install the new hotfix-hotfix for you. ;)

If you're not yet using Plone 2.5.5 or 3.0.4, it's recommended that you upgrade right away to fix security issues. Contact support for assistance.

"This hotfix corrects a vulnerability in the statusmessages and linkintegrity modules, where unsafe network data was interpreted as python pickles. This allows an attacker to run arbitrary python code within the Zope/Plone process." More information on Plone Hotfix 20071106.

The hotfix is only for Plone 2.5 and 3.0 but of course if you are running anything earlier than 2.5 you need to upgrade anyway.

Installation

To install this hotfix, login via ssh, become root and cd ~zope/instanceX/Products, X usually being 1. If you are not using our standard instance setup then you will already know where your instance is.

wget http://plone.org/products/plone-hotfix/releases/20071106/PloneHotfix20071106.tar.gz

tar xzf PloneHotfix20071106.tar.gz

chown -R zope:zope PloneHotfix20071106

rm PloneHotfix20071106.tar.gz

It's installed so now you need to restart Zope. You can do so either via the Control Panel in Zope (shutdown button) or with the below command:

zopectl restart

Be sure to login to Zope and go to Control Panel > Products where you can verify that PloneHotfix20071106 was successfully installed. If you need assistance, feel free to contact support.

Plone releases that include PlonePAS (Plone 2.5.*) include a vulnerability that allows a user to masquerade as a group. HSR recommends this Hotfix for all Plone 2.5.x installs that allow anonymous user registration. Please file a ticket to have us install it for you. More information: PlonePAS user/group fix (CVE-2006-4249).

Plone 2.5.1 is out. Plone 2.5.1 fixes several important security issues and is recommended for immediate use by those customers currently using Plone 2.5.0. Zope 2.9.5 is recommended for use with this Plone release. Please file a ticket to have HSR staff perform this upgrade for you. More information: Plone 2.5.1.

Zope 2.9.5, a bug-fix release, is out. This upgrade is not urgent or recommended unless you wish to also upgrade to Plone 2.5.1. More information: Zope 2.9.5 released.

Plone 2.1.4, a bug-fix release, is out. We recommend that anyone using Plone 1, 2.0 or 2.1 immediately upgrade to Plone 2.1.4 for security reasons. Feel free to file a ticket to have us assist you with this. More information: Plone 2.1.4.

Plone 2.5 has been out for awhile now. We've upgraded several customers and no serious problems have been encountered so please feel free to contact support if you'd like us to setup Plone 2.5 for you.