diff --git a/release/RELEASE-NOTES.md b/release/RELEASE-NOTES.md index 788104110c..36c9961cce 100644 --- a/release/RELEASE-NOTES.md +++ b/release/RELEASE-NOTES.md @@ -1,24 +1,40 @@ -# Release notes for Plone 6.0.7rc1 +# Release notes for Plone 6.0.7 -* Last updated: Thursday September 14, 2023 +* Released: Thursday September 21, 2023 * Check the [release schedule](https://plone.org/download/release-schedule). * Read the [upgrade guide](https://6.docs.plone.org/upgrade/index.html), explaining the biggest changes compared to 5.2. -* Canonical place for these [release notes](https://dist.plone.org/release/6.0-dev/RELEASE-NOTES.md) and the full [packages changelog](https://dist.plone.org/release/6.0-dev/changelog.txt). +* Canonical place for these [release notes](https://dist.plone.org/release/6.0.7/RELEASE-NOTES.md) and the full [packages changelog](https://dist.plone.org/release/6.0.7/changelog.txt). If you want to jump straight in, here are two important links: -* With pip you can use the constraints file at [https://dist.plone.org/release/6.0-dev/constraints.txt](https://dist.plone.org/release/6.0-dev/constraints.txt) -* With Buildout you can use the versions file at [https://dist.plone.org/release/6.0-dev/versions.cfg](https://dist.plone.org/release/6.0-dev/versions.cfg), plus optionally [`versions-extra.cfg`](https://dist.plone.org/release/6.0-dev/versions-extra.cfg) and [`versions-ecosystem.cfg`](https://dist.plone.org/release/6.0-dev/versions-ecosystem.cfg). +* With pip you can use the constraints file at [https://dist.plone.org/release/6.0.7/constraints.txt](https://dist.plone.org/release/6.0.7/constraints.txt) +* With Buildout you can use the versions file at [https://dist.plone.org/release/6.0.7/versions.cfg](https://dist.plone.org/release/6.0.7/versions.cfg), plus optionally [`versions-extra.cfg`](https://dist.plone.org/release/6.0.7/versions-extra.cfg) and [`versions-ecosystem.cfg`](https://dist.plone.org/release/6.0.7/versions-ecosystem.cfg). ## Highlights Major changes since 6.0.6: -* `Zope`: Security fixes in `AccessControl` and `RestrictedPython`. See [community announcement](https://community.plone.org/t/zope-4-8-9-and-5-8-4-released-with-a-security-fix/17849). +* This includes security fixes from today's announcement: + * https://community.plone.org/t/plone-security-advisory-2023-09-21/17941 + * https://plone.org/security/hotfix/20230921 +* `Zope`: + * Security fixes in `AccessControl` and `RestrictedPython`. See [community announcement](https://community.plone.org/t/zope-4-8-9-and-5-8-4-released-with-a-security-fix/17849). + * Allow only some image types to be displayed inline. Force download for others, especially SVG images. + * Tighten down the ZMI frame source logic to only allow site-local sources. + * Added image dimensions to SVG file properties. * `plone.namedfile`: + * Fix stored XSS (Cross Site Scripting) for SVG images. * Add internal modification timestamp with fallback to _p_mtime. * Use new internal modification timestamp as part of the hash key for scales. + * Fixed issue with SVG images that contain extensive metadata. +* `plone.rest`: When ``++api++`` is in the url multiple times, redirect to the proper url. +* `plone.restapi`: + * Fix stored XSS (Cross Site Scripting) for SVG image in user portrait. + * Allow passing additional parameters to the delete users endpoint to request not to delete local roles and memberareas. + * When serializing blocks, `image_scales` is now added to blocks that contain a resolveuid-based `url`. + * When deserializing blocks, `image_scales` is removed. + * Add `visit_blocks` util for finding all nested blocks. * `plone.dexterity`: Fix a memory leak. For details see [issue 3829](https://github.com/plone/Products.CMFPlone/issues/3829). * `plone.app.widgets`: Make this package deprecated. It still works, and is included in Plone 6.0, but Plone 6.1 will not ship with it. Widget base classes have been moved to ``plone.app.z3cform.widgets.patterns``. @@ -29,20 +45,14 @@ Major changes since 6.0.6: To add it to an existing site, run `plone.volto.upgrades.add_block_types_index` manually. * `plone.app.multilingual`: Fixes for Indonesian in a multilingual site. Fix `set_recursive_language` to actually find child objects. * `plone.app.querystring`: Fix the `currentUser`` operation when the current user's username is different from their user id. -* `plone.namedfile`: Fixed issue with SVG images that contain extensive metadata. -* `plone.staticresources`: update to Mockup 5.1.4: +* `plone.staticresources`: Update Bootstrap to `5.3.2`, bootstrap-icons to `1.11.1` and Mockup to `5.1.5`: * pat structure: Fix popover-structure-columns, use 2-column layout. (9fb499e) * pat structure: Fix sticky position when toolbar is on top. - * pat tinymce: Fix image modal with selected image. -* `plonetheme.barceloneta`: Update Bootstrap to `5.3.1` + * pat tinymce: Fix image modal with selected image. Properly await the select2 initialization when using it from the insert image or insert link dialogs. +* `plonetheme.barceloneta`: Update Bootstrap to `5.3.2` * `Products.CMFCore`: * Improve handling of PortalFolder filter input. * Provide a way to not publish items that are acquired. -* `plone.restapi`: - * Allow passing additional parameters to the delete users endpoint to request not to delete local roles and memberareas. - * When serializing blocks, `image_scales` is now added to blocks that contain a resolveuid-based `url`. - * When deserializing blocks, `image_scales` is removed. - * Add `visit_blocks` util for finding all nested blocks. * `plone.app.locales`: Updates to nl translations. diff --git a/release/changelog.txt b/release/changelog.txt index 371fcf5209..2195fbe803 100644 --- a/release/changelog.txt +++ b/release/changelog.txt @@ -1,7 +1,13 @@ -Zope 5.8.3 → 5.8.4 +Zope 5.8.3 → 5.8.5 ------------------ +- Allow only some image types to be displayed inline. Force download for others, especially SVG images. By default we use a list of allowed types. You can switch a to a list of denied types by setting OS environment variable OFS_IMAGE_USE_DENYLIST=1. You can override the allowed list with environment variable ALLOWED_INLINE_MIMETYPES and the disallowed list with DISALLOWED_INLINE_MIMETYPES. Separate multiple entries by either comma or space. This change only affects direct URL access. works the same as before. (CVE-2023-42458) See security advisory. +- Tighten down the ZMI frame source logic to only allow site-local sources. Problem reported by Miguel Segovia Gil. +- Added image dimensions to SVG file properties #1146. +- Fix username not in access log for error requests, see issue #1155. +- Update to newest compatible versions of dependencies. +- Add preliminary support for Python 3.12rc3. - Disable a ZCatalog (more precisly: Products.PluginIndexes) performance test which occasionally fails on GitHub. For details, see #1136. - Restore filename on code objects of objects returned from App.Extensions.getObject(). This got lost in 4.0a6. - Update to newest compatible versions of dependencies. @@ -11,7 +17,6 @@ Zope 5.8.3 → 5.8.4 - Update RestrictedPython to version 6.2 to mitigate a security problem. (CVE-2023-41039) - Update AccessControl to version 6.2 to mitigate a security problem. (CVE-2023-41050) - pip: 23.1.2 → 23.2 ------------------ @@ -150,10 +155,13 @@ Bug fixes: [gforcada] (#147) -plone.app.upgrade: 3.0.6 → 3.0.7 +plone.app.upgrade: 3.0.6 → 3.0.8 -------------------------------- Bug fixes: +- Fix error in site syndication settings when upgrading. + [maurits] (#315) + - Add Upgrade Step to fix ISyndicationSettings [1letter] (#315) @@ -237,7 +245,7 @@ Internal: [plone devs] (55bda5c9) -plone.namedfile: 6.1.1 → 6.2.0 +plone.namedfile: 6.1.1 → 6.2.1 ------------------------------ New features: @@ -249,6 +257,11 @@ New features: Bug fixes: +- Fix stored XSS (Cross Site Scripting) for SVG images. + Done by forcing a download instead of displaying inline. + See `security advisory `_. + [maurits] (#1) + - Fixed the issue where SVG images containing extensive metadata were not being displayed correctly (resulting in a width/height of 1px). This problem could occur when the tag exceeded the MAX_INFO_BYTES limit. @@ -279,7 +292,18 @@ Documentation: [gforcada] (#190) -plone.restapi: 8.40.0 → 8.43.2 +plone.rest: 3.0.0 → 3.0.1 +------------------------- +Bug fixes: + +- When ``++api++`` is in the url multiple times, redirect to the proper url. + When the url is badly formed, for example ``++api++/something/++api++``, give a 404 NotFound. + Fixes a denial of service. + See `security advisory `_. + [maurits] (#1) + + +plone.restapi: 8.40.0 → 8.43.3 ------------------------------ New features: @@ -293,6 +317,12 @@ New features: Bug fixes: +- Fix stored XSS (Cross Site Scripting) for SVG image in user portrait. + Done by forcing a download instead of displaying inline. + Normal accessing via an image tag is not affected and is safe. + See `security advisory `_. + [maurits] (#1) + - Make new release to add missing changelog entries for 8.43.1. [maurits] (#8431) @@ -360,10 +390,13 @@ Internal: [plone devs] (7723aeaf) -plone.staticresources: 2.1.3 → 2.1.6 +plone.staticresources: 2.1.3 → 2.1.7 ------------------------------------ Bug fixes: +- Update Bootstrap to ``5.3.2``, bootstrap-icons to ``1.11.1`` and Mockup to ``5.1.5``. + [petschki] (#303) + - Mockup 5.1.4 - see https://github.com/plone/mockup/releases/tag/5.1.4 [petschki] (#302) @@ -379,6 +412,14 @@ Internal: [plone devs] (cfffba8c) +plone.testing: 8.0.3 → 8.0.4 +---------------------------- +Bug fixes: + +- Fix tests when run with ZODB 5.8.1+. + [maurits] (#581) + + plone.volto: 4.0.9 → 4.1.0 -------------------------- New features: @@ -402,6 +443,8 @@ plonetheme.barceloneta: 3.1.3 → 3.1.4 Bug fixes: +- Update Bootstrap to 5.3.2 [petschki] #346 + - Update Bootstrap to ``5.3.1`` [petschki] #343 @@ -416,11 +459,12 @@ Documentation: [maurits] #338 -Products.CMFPlone: 6.0.6 → 6.0.7rc1 ------------------------------------ +Products.CMFPlone: 6.0.6 → 6.0.7 +-------------------------------- Bug fixes: +- Register site syndication settings from plone.base instead of CMFPlone. [maurits] #315 - Explicitly disable ``Products.CMFCore.explicitacquisition`` in Plone 6. [jaroel] explicitacquisition - Update `plone.app.z3cform` dependency version and deprecate `plone.app.widgets`