Bug 373989 (CVE-2011-2528)

Description Tim Sammut (RETIRED) 2011-07-04 05:40:37 UTC

From $URL:

A highly serious vulnerability in Zope that allows unauthorised access

The fix  was released at 15:00 UTC on Tuesday 28th June, 2011.

Full installation instructions.
Who should apply the patch

    * Plone 4.x users must apply this patch or update to Zope2 2.12.19 (Plone 4.0) or 2.13.8 (Plone 4.1).
    * Zope 2.12/2.13 users must apply this patch or update to Zope2 2.12.19 or 2.13.8.
    * Plone 3.x users: the vulnerability was inadvertently backported by the previous hotfix http://plone.org/products/plone-hotfix/releases/CVE-2011-0720 (PloneHotfix20110720). Plone 3.x users should install both PloneHotfix20110720 and this hotfix to make sure that they are protected against both sets of vulnerabilities.
    * Zope 2.10/2.11 users who are not using Plone: Zope 2.10 and 2.11 users who have not installed PloneHotfix20110720 are not affected by this vulnerability, and should not apply the patch. You should, however, make sure that you are running either Zope 2.10.13 or Zope 2.11.8  and PluggableAuthService 1.5.5, 1.6.5 or 1.7.5 which include fixes for the vulnerabilities in CVE-2011-0720. Please make sure that you have not installed PloneHotfix20110720; remove it if you have.

Other versions are not affected. Plone 2.5 and Zope 2.8/2.9 are unaffected; you should not install this hotifx on those sites.