Skip to content

Commit

Permalink
Update changelog and release notes
Browse files Browse the repository at this point in the history
  • Loading branch information
mauritsvanrees committed Sep 21, 2023
1 parent 0b5e9c6 commit fda9b52
Show file tree
Hide file tree
Showing 2 changed files with 77 additions and 23 deletions.
40 changes: 25 additions & 15 deletions release/RELEASE-NOTES.md
Original file line number Diff line number Diff line change
@@ -1,24 +1,40 @@
# Release notes for Plone 6.0.7rc1
# Release notes for Plone 6.0.7

* Last updated: Thursday September 14, 2023
* Released: Thursday September 21, 2023
* Check the [release schedule](https://plone.org/download/release-schedule).
* Read the [upgrade guide](https://6.docs.plone.org/upgrade/index.html), explaining the biggest changes compared to 5.2.
* Canonical place for these [release notes](https://dist.plone.org/release/6.0-dev/RELEASE-NOTES.md) and the full [packages changelog](https://dist.plone.org/release/6.0-dev/changelog.txt).
* Canonical place for these [release notes](https://dist.plone.org/release/6.0.7/RELEASE-NOTES.md) and the full [packages changelog](https://dist.plone.org/release/6.0.7/changelog.txt).

If you want to jump straight in, here are two important links:

* With pip you can use the constraints file at [https://dist.plone.org/release/6.0-dev/constraints.txt](https://dist.plone.org/release/6.0-dev/constraints.txt)
* With Buildout you can use the versions file at [https://dist.plone.org/release/6.0-dev/versions.cfg](https://dist.plone.org/release/6.0-dev/versions.cfg), plus optionally [`versions-extra.cfg`](https://dist.plone.org/release/6.0-dev/versions-extra.cfg) and [`versions-ecosystem.cfg`](https://dist.plone.org/release/6.0-dev/versions-ecosystem.cfg).
* With pip you can use the constraints file at [https://dist.plone.org/release/6.0.7/constraints.txt](https://dist.plone.org/release/6.0.7/constraints.txt)
* With Buildout you can use the versions file at [https://dist.plone.org/release/6.0.7/versions.cfg](https://dist.plone.org/release/6.0.7/versions.cfg), plus optionally [`versions-extra.cfg`](https://dist.plone.org/release/6.0.7/versions-extra.cfg) and [`versions-ecosystem.cfg`](https://dist.plone.org/release/6.0.7/versions-ecosystem.cfg).


## Highlights

Major changes since 6.0.6:

* `Zope`: Security fixes in `AccessControl` and `RestrictedPython`. See [community announcement](https://community.plone.org/t/zope-4-8-9-and-5-8-4-released-with-a-security-fix/17849).
* This includes security fixes from today's announcement:
* https://community.plone.org/t/plone-security-advisory-2023-09-21/17941
* https://plone.org/security/hotfix/20230921
* `Zope`:
* Security fixes in `AccessControl` and `RestrictedPython`. See [community announcement](https://community.plone.org/t/zope-4-8-9-and-5-8-4-released-with-a-security-fix/17849).
* Allow only some image types to be displayed inline. Force download for others, especially SVG images.
* Tighten down the ZMI frame source logic to only allow site-local sources.
* Added image dimensions to SVG file properties.
* `plone.namedfile`:
* Fix stored XSS (Cross Site Scripting) for SVG images.
* Add internal modification timestamp with fallback to _p_mtime.
* Use new internal modification timestamp as part of the hash key for scales.
* Fixed issue with SVG images that contain extensive metadata.
* `plone.rest`: When ``++api++`` is in the url multiple times, redirect to the proper url.
* `plone.restapi`:
* Fix stored XSS (Cross Site Scripting) for SVG image in user portrait.
* Allow passing additional parameters to the delete users endpoint to request not to delete local roles and memberareas.
* When serializing blocks, `image_scales` is now added to blocks that contain a resolveuid-based `url`.
* When deserializing blocks, `image_scales` is removed.
* Add `visit_blocks` util for finding all nested blocks.
* `plone.dexterity`: Fix a memory leak. For details see [issue 3829](https://github.com/plone/Products.CMFPlone/issues/3829).
* `plone.app.widgets`: Make this package deprecated. It still works, and is included in Plone 6.0, but Plone 6.1 will not ship with it.
Widget base classes have been moved to ``plone.app.z3cform.widgets.patterns``.
Expand All @@ -29,20 +45,14 @@ Major changes since 6.0.6:
To add it to an existing site, run `plone.volto.upgrades.add_block_types_index` manually.
* `plone.app.multilingual`: Fixes for Indonesian in a multilingual site. Fix `set_recursive_language` to actually find child objects.
* `plone.app.querystring`: Fix the `currentUser`` operation when the current user's username is different from their user id.
* `plone.namedfile`: Fixed issue with SVG images that contain extensive metadata.
* `plone.staticresources`: update to Mockup 5.1.4:
* `plone.staticresources`: Update Bootstrap to `5.3.2`, bootstrap-icons to `1.11.1` and Mockup to `5.1.5`:
* pat structure: Fix popover-structure-columns, use 2-column layout. (9fb499e)
* pat structure: Fix sticky position when toolbar is on top.
* pat tinymce: Fix image modal with selected image.
* `plonetheme.barceloneta`: Update Bootstrap to `5.3.1`
* pat tinymce: Fix image modal with selected image. Properly await the select2 initialization when using it from the insert image or insert link dialogs.
* `plonetheme.barceloneta`: Update Bootstrap to `5.3.2`
* `Products.CMFCore`:
* Improve handling of PortalFolder filter input.
* Provide a way to not publish items that are acquired.
* `plone.restapi`:
* Allow passing additional parameters to the delete users endpoint to request not to delete local roles and memberareas.
* When serializing blocks, `image_scales` is now added to blocks that contain a resolveuid-based `url`.
* When deserializing blocks, `image_scales` is removed.
* Add `visit_blocks` util for finding all nested blocks.
* `plone.app.locales`: Updates to nl translations.


Expand Down
60 changes: 52 additions & 8 deletions release/changelog.txt
Original file line number Diff line number Diff line change
@@ -1,7 +1,13 @@

Zope 5.8.3 → 5.8.4
Zope 5.8.3 → 5.8.5
------------------

- Allow only some image types to be displayed inline. Force download for others, especially SVG images. By default we use a list of allowed types. You can switch a to a list of denied types by setting OS environment variable OFS_IMAGE_USE_DENYLIST=1. You can override the allowed list with environment variable ALLOWED_INLINE_MIMETYPES and the disallowed list with DISALLOWED_INLINE_MIMETYPES. Separate multiple entries by either comma or space. This change only affects direct URL access. <img src="image.svg" /> works the same as before. (CVE-2023-42458) See security advisory.
- Tighten down the ZMI frame source logic to only allow site-local sources. Problem reported by Miguel Segovia Gil.
- Added image dimensions to SVG file properties #1146.
- Fix username not in access log for error requests, see issue #1155.
- Update to newest compatible versions of dependencies.
- Add preliminary support for Python 3.12rc3.
- Disable a ZCatalog (more precisly: Products.PluginIndexes) performance test which occasionally fails on GitHub. For details, see #1136.
- Restore filename on code objects of objects returned from App.Extensions.getObject(). This got lost in 4.0a6.
- Update to newest compatible versions of dependencies.
Expand All @@ -11,7 +17,6 @@ Zope 5.8.3 → 5.8.4
- Update RestrictedPython to version 6.2 to mitigate a security problem. (CVE-2023-41039)
- Update AccessControl to version 6.2 to mitigate a security problem. (CVE-2023-41050)


pip: 23.1.2 → 23.2
------------------

Expand Down Expand Up @@ -150,10 +155,13 @@ Bug fixes:
[gforcada] (#147)


plone.app.upgrade: 3.0.6 → 3.0.7
plone.app.upgrade: 3.0.6 → 3.0.8
--------------------------------
Bug fixes:

- Fix error in site syndication settings when upgrading.
[maurits] (#315)

- Add Upgrade Step to fix ISyndicationSettings
[1letter] (#315)

Expand Down Expand Up @@ -237,7 +245,7 @@ Internal:
[plone devs] (55bda5c9)


plone.namedfile: 6.1.1 → 6.2.0
plone.namedfile: 6.1.1 → 6.2.1
------------------------------
New features:

Expand All @@ -249,6 +257,11 @@ New features:

Bug fixes:

- Fix stored XSS (Cross Site Scripting) for SVG images.
Done by forcing a download instead of displaying inline.
See `security advisory <https://github.com/plone/plone.namedfile/security/advisories/GHSA-jj7c-jrv4-c65x>`_.
[maurits] (#1)

- Fixed the issue where SVG images containing extensive metadata were not being displayed
correctly (resulting in a width/height of 1px). This problem could occur when the
<svg> tag exceeded the MAX_INFO_BYTES limit.
Expand Down Expand Up @@ -279,7 +292,18 @@ Documentation:
[gforcada] (#190)


plone.restapi: 8.40.0 → 8.43.2
plone.rest: 3.0.0 → 3.0.1
-------------------------
Bug fixes:

- When ``++api++`` is in the url multiple times, redirect to the proper url.
When the url is badly formed, for example ``++api++/something/++api++``, give a 404 NotFound.
Fixes a denial of service.
See `security advisory <https://github.com/plone/plone.rest/security/advisories/GHSA-h6rp-mprm-xgcq>`_.
[maurits] (#1)


plone.restapi: 8.40.0 → 8.43.3
------------------------------
New features:

Expand All @@ -293,6 +317,12 @@ New features:

Bug fixes:

- Fix stored XSS (Cross Site Scripting) for SVG image in user portrait.
Done by forcing a download instead of displaying inline.
Normal accessing via an image tag is not affected and is safe.
See `security advisory <https://github.com/plone/plone.restapi/security/advisories/GHSA-hc5c-r8m5-2gfh>`_.
[maurits] (#1)

- Make new release to add missing changelog entries for 8.43.1.
[maurits] (#8431)

Expand Down Expand Up @@ -360,10 +390,13 @@ Internal:
[plone devs] (7723aeaf)


plone.staticresources: 2.1.3 → 2.1.6
plone.staticresources: 2.1.3 → 2.1.7
------------------------------------
Bug fixes:

- Update Bootstrap to ``5.3.2``, bootstrap-icons to ``1.11.1`` and Mockup to ``5.1.5``.
[petschki] (#303)

- Mockup 5.1.4 - see https://github.com/plone/mockup/releases/tag/5.1.4
[petschki] (#302)

Expand All @@ -379,6 +412,14 @@ Internal:
[plone devs] (cfffba8c)


plone.testing: 8.0.3 → 8.0.4
----------------------------
Bug fixes:

- Fix tests when run with ZODB 5.8.1+.
[maurits] (#581)


plone.volto: 4.0.9 → 4.1.0
--------------------------
New features:
Expand All @@ -402,6 +443,8 @@ plonetheme.barceloneta: 3.1.3 → 3.1.4

Bug fixes:

- Update Bootstrap to 5.3.2 [petschki] #346

- Update Bootstrap to ``5.3.1``
[petschki] #343

Expand All @@ -416,11 +459,12 @@ Documentation:
[maurits] #338


Products.CMFPlone: 6.0.6 → 6.0.7rc1
-----------------------------------
Products.CMFPlone: 6.0.6 → 6.0.7
--------------------------------

Bug fixes:

- Register site syndication settings from plone.base instead of CMFPlone. [maurits] #315
- Explicitly disable ``Products.CMFCore.explicitacquisition`` in Plone 6.
[jaroel] explicitacquisition
- Update `plone.app.z3cform` dependency version and deprecate `plone.app.widgets`
Expand Down

0 comments on commit fda9b52

Please sign in to comment.