From $URL: A highly serious vulnerability in Zope that allows unauthorised access The fix was released at 15:00 UTC on Tuesday 28th June, 2011. Full installation instructions. Who should apply the patch * Plone 4.x users must apply this patch or update to Zope2 2.12.19 (Plone 4.0) or 2.13.8 (Plone 4.1). * Zope 2.12/2.13 users must apply this patch or update to Zope2 2.12.19 or 2.13.8. * Plone 3.x users: the vulnerability was inadvertently backported by the previous hotfix http://plone.org/products/plone-hotfix/releases/CVE-2011-0720 (PloneHotfix20110720). Plone 3.x users should install both PloneHotfix20110720 and this hotfix to make sure that they are protected against both sets of vulnerabilities. * Zope 2.10/2.11 users who are not using Plone: Zope 2.10 and 2.11 users who have not installed PloneHotfix20110720 are not affected by this vulnerability, and should not apply the patch. You should, however, make sure that you are running either Zope 2.10.13 or Zope 2.11.8 and PluggableAuthService 1.5.5, 1.6.5 or 1.7.5 which include fixes for the vulnerabilities in CVE-2011-0720. Please make sure that you have not installed PloneHotfix20110720; remove it if you have. Other versions are not affected. Plone 2.5 and Zope 2.8/2.9 are unaffected; you should not install this hotifx on those sites.
Vulnerable versions are masked.
GLSA request filed.
CVE-2011-2528 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2528): Unspecified vulnerability in (1) Zope 2.12.x before 2.12.19 and 2.13.x before 2.13.8, as used in Plone 4.x and other products, and (2) PloneHotfix20110720 for Plone 3.x allows attackers to gain privileges via unspecified vectors, related to a "highly serious vulnerability." NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-0720.
Closing old stuff.