-
-
Notifications
You must be signed in to change notification settings - Fork 75
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
2a031d0
commit 125e196
Showing
2 changed files
with
92 additions
and
49 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,74 +1,101 @@ | ||
plone.versioncheck: 1.8.0 → 1.8.1 | ||
--------------------------------- | ||
Zope 4.8.7 → 4.8.10 | ||
------------------- | ||
|
||
- Allow only some image types to be displayed inline. Force download for others, especially SVG images. By default we use a list of allowed types. You can switch a to a list of denied types by setting OS environment variable OFS_IMAGE_USE_DENYLIST=1. You can override the allowed list with environment variable ALLOWED_INLINE_MIMETYPES and the disallowed list with DISALLOWED_INLINE_MIMETYPES. Separate multiple entries by either comma or space. This change only affects direct URL access. <img src="image.svg" /> works the same as before. (CVE-2023-42458) See security advisory. | ||
- Tighten down the ZMI frame source logic to only allow site-local sources. Problem reported by Miguel Segovia Gil. | ||
- Update RestrictedPython to version 5.4 to fix a potential a security issue. (CVE-2023-41039) | ||
- Update AccessControl to version 4.4 to fix a potential a security issue. (CVE-2023-41050) | ||
- Sanitize tainting fixing #1095 | ||
- Restore filename on code objects of objects returned from App.Extensions.getObject(). This got lost in 4.0a6. | ||
- Only set response header Content-Type as text/html on exception views when the response has content. (#1089) | ||
Update dependencies to the latest releases for each supported Python version. | ||
|
||
plone.recipe.zope2instance: 6.12.0 → 6.12.1 | ||
------------------------------------------- | ||
Documentation: | ||
|
||
- Update README: for ``RotatingFileHandler`` ``maxCount`` is not a valid keyword argument. | ||
Use ``backupCount``. | ||
[gforcada] (#190) | ||
|
||
|
||
plone.releaser: 1.8.8 → 1.8.9 | ||
----------------------------- | ||
Bug fixes: | ||
|
||
- Catch empty version and ignore invalid versions in more places. | ||
Needed when a package is explicitly unpinned, for example ``Zope =``. | ||
[maurits] | ||
- Allow disabling PyPI rights check, as this does not know how to check organisations. | ||
Set env variable ``PLONE_RELEASER_CHECK_PYPI_ACCESS=0`` if you want to disable it. | ||
Also, we do not check PyPI if the user is `__token__`, so using an API token. | ||
[maurits] (#50) | ||
|
||
- Fix missing changelog entries when running ``bin/manage changelog``. | ||
[maurits] (#60) | ||
|
||
|
||
Plone: 5.2.12 → 5.2.13 | ||
Plone: 5.2.13 → 5.2.14 | ||
---------------------- | ||
Bug fixes: | ||
|
||
- Release Plone 5.2.13. | ||
- Release Plone 5.2.14. | ||
[maurits] | ||
|
||
|
||
plone.app.caching: 2.2.0 → 2.2.1 | ||
-------------------------------- | ||
plone.app.multilingual: 5.6.4 → 5.6.6 | ||
------------------------------------- | ||
Bug fixes: | ||
|
||
- Fixed tests that compared a stable time with a ten year old Expires handler. | ||
[maurits] (#127) | ||
- Fix setting Indonesian language cookie on site root: must be ``id``, not ``id-id``. | ||
[maurits] (#304) | ||
|
||
- Fix ``set_recursive_language`` to actually find child objects. | ||
[maurits] (#304) | ||
|
||
plone.app.locales: 5.1.32 → 5.1.33 | ||
---------------------------------- | ||
- Update Italian widgets domain translations. | ||
[cekk] | ||
- Root language switcher: redirect to ``id-id`` if the Indonesian language is preferred. | ||
[maurits] (#304) | ||
|
||
- Do not unset the language on the Indonesian root language folder when saving the control panel. | ||
This language has ``id`` as code. This is not allowed as an id in Plone, so it is created as ``id-id`` instead. | ||
This needs some special handling. | ||
Added upgrade to recursively fix this language folder to set the Indonesian language. This is only done when the folder itself has the wrong language. | ||
[maurits] (#304) | ||
|
||
plone.app.portlets: 4.4.8 → 4.4.9 | ||
--------------------------------- | ||
Bug fixes: | ||
|
||
- Fix login button name [wkbkhard] (#132) | ||
|
||
|
||
plone.app.upgrade: 2.1.5 → 2.1.6 | ||
plone.app.upgrade: 2.1.6 → 2.1.7 | ||
-------------------------------- | ||
Bug fixes: | ||
|
||
- Added upgrade to 5221, Plone 5.2.13. | ||
[maurits] (#5221) | ||
- Added upgrade to 5222, Plone 5.2.14. | ||
[maurits] (#5222) | ||
|
||
|
||
plone.portlet.collection: 3.3.6 → 3.3.7 | ||
--------------------------------------- | ||
plone.namedfile: 5.6.0 → 5.6.1 | ||
------------------------------ | ||
Bug fixes: | ||
|
||
- Convert collection to list before randomizing it | ||
[witsch] (#42) | ||
- Fix stored XSS (Cross Site Scripting) for SVG images. | ||
Done by forcing a download instead of displaying inline. | ||
See `security advisory <https://github.com/plone/plone.namedfile/security/advisories/GHSA-jj7c-jrv4-c65x>`_. | ||
[maurits] (#1) | ||
|
||
|
||
Products.CMFPlone: 5.2.12 → 5.2.13 | ||
---------------------------------- | ||
plone.restapi: 7.8.2 → 7.8.3 | ||
---------------------------- | ||
Bug fixes: | ||
|
||
- Officially drop Python 3.7 support, as this version is end of life. | ||
We try not to break it though. | ||
[maurits] (#37) | ||
- Fix content serializer with an old version of an item that was renamed. @davisagli (#1651) | ||
|
||
- Fixed TinyMCE menubar settings when creating new Plone Site. | ||
It contained "toolsview" instead of "tools" and "view" due to a missing comma. | ||
Nothing goes wrong in Plone 5, but it causes those two menus to miss in Plone 6. | ||
[maurits] (#3785) | ||
|
||
- Do not publish unused CMFCore folder filter methods. | ||
[maurits] (#3826) | ||
Products.CMFCore: 2.7.0 → 2.7.1 | ||
------------------------------- | ||
- Make ``decodeFolderFilter`` and ``encodeFolderFilter`` non-public. | ||
This is the workaround from `CVE-2023-36814 <https://github.com/zopefoundation/Products.CMFCore/security/advisories/GHSA-4hpj-8rhv-9x87>`_. | ||
|
||
|
||
Products.CMFPlone: 5.2.13 → 5.2.14 | ||
---------------------------------- | ||
Bug fixes: | ||
|
||
- Update metadata version to 5221, Plone 5.2.13. | ||
[maurits] (#5221) | ||
- Update metadata version to 5222, Plone 5.2.14. | ||
[maurits] (#5222) | ||
|
||
|