Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1afd8036-850f-c98e-5ee8-9e95f658e82e@vanrees.org>
Date: Fri, 22 Sep 2023 12:14:42 +0200
From: Maurits van Rees <maurits@...rees.org>
To: oss-security@...ts.openwall.com
Subject: Plone security advisory 2023/09/21

Various vulnerabilities in Plone and Zope have been reported and fixed. 
They affect all supported Plone versions: 5.2 and 6.0. Older Plone 
versions are likely also affected.
There will be no traditional hotfix package for these: you should update 
the version pins of individual packages. See [this 
post](https://community.plone.org/t/less-plone-hotfix-packages/17931?u=mauritsvanrees) 
about why we do less hotfix packages.

The information can be found here:
https://community.plone.org/t/plone-security-advisory-2023-09-21/17941
https://plone.org/security/hotfix/20230921

The text is included below.


## Denial of service

In `plone.rest` when the `++api++` traverser is accidentally used 
multiple times in a url, handling it takes increasingly longer, making 
the server less responsive.

Security advisory: 
[CVE-2023-42457](https://github.com/plone/plone.rest/security/advisories/GHSA-h6rp-mprm-xgcq).

## Stored XSS

There is a stored cross site scripting vulnerability for SVG images. A 
[security hotfix from 
2021](https://github.com/plone/Products.PloneHotfix20210518) already 
partially fixed this, by making sure SVG images are always downloaded 
instead of shown inline. But the same problem still exists for *scales* 
of SVG images. And it exists for *user portraits*, both in Volto and 
ClassicUI.

Technically, ClassicUI is not vulnerable for the user portrait part, 
because you cannot upload an SVG as user portrait. But in Volto you can, 
so you may be able to access a vulnerable url in the backend anyway.

Note that a page that uses an image tag with an SVG image as source is 
never vulnerable, even when the SVG image contains malicious code. To 
exploit the vulnerability, an attacker would first need to upload a 
malicious SVG image, and then trick a user into following a specially 
crafted link.

Fixes are needed in three packages. We link to the security advisories:

* 
[`plone.namedfile`](https://github.com/plone/plone.namedfile/security/advisories/GHSA-jj7c-jrv4-c65x) 
CVE-2023-41048
* 
[`Zope`](https://github.com/zopefoundation/Zope/security/advisories/GHSA-wm8q-9975-xh5v) 
CVE-2023-42458
* 
[`plone.restapi`](https://github.com/plone/plone.restapi/security/advisories/GHSA-hc5c-r8m5-2gfh) 
also CVE-2023-42458

## Information disclosure and sandbox escape

Earlier this month, new Zope releases were made, which included security 
releases of `AccessControl` and `RestrictedPython` . See the [community 
announcement](https://community.plone.org/t/zope-4-8-9-and-5-8-4-released-with-a-security-fix/17849).

## Fixed Plone versions

All needed packages are included in Plone 5.2.14 and 6.0.7 which have 
just been released.

## Package versions

If you cannot or do not want to upgrade your entire Plone version, you 
can upgrade individual package versions.

Fixes are available in these versions:

```
AccessControl = 4.4, 5.8, 6.2
RestrictedPython = 5.4, 6.2
plone.namedfile = 5.6.1, 6.0.3, 6.1.3, 6.2.1
plone.rest = 2.0.1, 3.0.1
plone.restapi = 8.43.4
Zope = 4.8.10, 5.8.5
```

If you are using Buildout, then for the `Zope`, `AccessControl` and 
`RestrictedPython` versions it is best to update the `[buildout] 
extends` lines to include the following.

For Plone 5.2: 
https://zopefoundation.github.io/Zope/releases/4.8.10/versions.cfg

For Plone 6: 
https://zopefoundation.github.io/Zope/releases/5.8.5/versions.cfg

So which versions of these packages should you use on which Plone version?

To avoid surprises, you should use the version that is closest to the 
version you are already using. If you use the default versions, the 
following should help. This uses the Buildout notation. If you use a pip 
constraints file, you should use a double equals sign.

### Plone 5.2

```
AccessControl = 4.4
plone.namedfile = 5.6.1
RestrictedPython = 5.4
Zope = 4.8.10
```

If you run Plone 5.2 on Python 3, and you are already using 
`plone.restapi` 8, then you can additionally use:

```
plone.restapi = 8.43.4
```

### Plone 6.0.0/6.0.1

```
AccessControl = 5.8
plone.namedfile = 6.0.3
plone.rest = 2.0.1
plone.restapi = 8.43.4
RestrictedPython = 6.2
Zope = 5.8.5
```

### Plone 6.0.2

```
AccessControl = 5.8
plone.namedfile = 6.0.3
plone.rest = 3.0.1
plone.restapi = 8.43.4
RestrictedPython = 6.2
Zope = 5.8.5
```

### Plone 6.0.3/6.0.4

```
AccessControl = 6.2
plone.namedfile = 6.0.3
plone.rest = 3.0.1
plone.restapi = 8.43.4
RestrictedPython = 6.2
Zope = 5.8.5
```

### Plone 6.0.5/6.0.6

```
AccessControl = 6.2
plone.namedfile = 6.1.3
plone.rest = 3.0.1
plone.restapi = 8.43.4
RestrictedPython = 6.2
Zope = 5.8.5
```

If you are having problems with the installation, or see regressions, 
please make a post in this thread, and anyone can help you.

If you see further security problems, please [mail the Plone/Zope 
Security Team](mailto:security@...ne.org).


-- 
Maurits van Rees https://maurits.vanrees.org/
Plone/Zope Security Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.