Plone

Plone 5.2.14

  1. Series 5.2
  2. 5.2.14

Milestone information

Project:
Plone
Series:
5.2
Version:
5.2.14
Released:
 
Registrant:
Maurits van Rees
Release registered:
Active:
Yes. Drivers can target bugs and blueprints to this milestone.  

Download RDF metadata

Activities

Assigned to you:
No blueprints or bugs assigned to you.
Assignees:
No users assigned to blueprints and bugs.
Blueprints:
No blueprints are targeted to this milestone.
Bugs:
No bugs are targeted to this milestone.

Download files for this release

After you've downloaded a file, you can verify its authenticity using its MD5 sum or signature. (How do I verify a download?)

File Description Downloads
download icon Plone-5.2.14-UnifiedInstaller-1.0.zip (md5, sig) Unified Installer zip -- same as tarball, but easier to extract on Windows 281
last downloaded 24 hours ago
download icon Plone-5.2.14-UnifiedInstaller-1.0.tgz (md5, sig) Unified Installer tarball -- builds Plone on most Linux/macOS/Windows 10 systems 1,216
last downloaded today
Total downloads: 1,497

Release notes 

# Release notes for Plone 5.2.14

* Released: Thursday September 21, 2023
* This is expected to be the last maintenance release.
* Check the [release schedule](https://plone.org/download/release-schedule).
* Read the [upgrade guide](https://5.docs.plone.org/manage/upgrading/version_specific_migration/upgrade_to_52.html), explaining the biggest changes compared to 5.1.
* Canonical place for these [release notes](https://dist.plone.org/release/5.2.14/RELEASE-NOTES.md) and the full [packages changelog](https://dist.plone.org/release/5.2.14/changelog.txt).

If you want to jump straight in, here are two important links:

* With pip you can use the constraints file at [https://dist.plone.org/release/5.2.14/constraints.txt](https://dist.plone.org/release/5.2.14/constraints.txt)
* With Buildout you can use the versions file at [https://dist.plone.org/release/5.2.14/versions.cfg](https://dist.plone.org/release/5.2.14/versions.cfg).

## Highlights

Major changes since 5.2.13:

* This includes security fixes from today's announcement:
  * https://community.plone.org/t/plone-security-advisory-2023-09-21/17941
  * https://plone.org/security/hotfix/20230921
* `Zope`:
  * Security fixes in `AccessControl` and `RestrictedPython`. See [community announcement](https://community.plone.org/t/zope-4-8-9-and-5-8-4-released-with-a-security-fix/17849).
  * Allow only some image types to be displayed inline. Force download for others, especially SVG images.
  * Tighten down the ZMI frame source logic to only allow site-local sources.
* `plone.namedfile`: Fix stored XSS (Cross Site Scripting) for SVG images.
* `plone.rest`: When ``++api++`` is in the url multiple times, redirect to the proper url.
* `plone.restapi`:
  * Fix stored XSS (Cross Site Scripting) for SVG image in user portrait.
* `Products.CMFCore`: Make `decodeFolderFilter` and `encodeFolderFilter` non-public.
  This is the workaround from [CVE-2023-36814](https://github.com/zopefoundation/Products.CMFCore/security/advisories/GHSA-4hpj-8rhv-9x87).
* `plone.app.multilingual`:
  * Fix various problems when using the Indonesian language in a multilingual setup.
    This language has ``id`` as code. This is not allowed as an id in Plone, so it has always been created as ``id-id`` instead.
    This needs some special handling.
  * Fix ``set_recursive_language`` to actually find child objects. This is used to make sure that a language folder only contains content in this language.

## Last maintenance release

Plone 5.2.14 is planned to be the last regular release of Plone 5.2.
This release was originally planned for October, but we moved it forward to have the security fixes in a full release. If there are good reasons, we can still make a new release.

After October 2023, Plone 5.2 is out of maintenance support.

There is still one year of security support, until October 31, 2024.
At that moment, even Python 3.8 is out of security support by the Python community.

## Python compatibility

This release supports Python 2.7 and 3.8.

Python 3.6 and 3.7 should still work, but these are end of life and no longer supported.

Plone 5.2 still supports Python 2.7, but this is end-of-life since 2020. It should only be used as a temporary stepping stone before you migrate your Plone site to Python 3.

## Versions of pip, zc.buildout, setuptools

In Plone core we use these versions to install Plone on Python 2:

```
setuptools==42.0.2
zc.buildout==2.13.8
wheel==0.37.1
```

and these on Python 3:

```
setuptools==65.7.0
zc.buildout==3.0.1
wheel==0.38.4
```

In general you are free to use whatever versions work for you, especially newer ones, but these worked for us.

Note that `setuptools` 66 is more strict with what versions it can recognize. If you run `pip` or `buildout` and it suddenly cannot find a package with a non-standard version, then this may be the cause. This is why we stayed at version 65 for Plone 5.2.

## Installation

For installation instructions, see the [documentation](https://5.docs.plone.org/manage/installing/index.html).

There is still a [Unified Installer](https://launchpad.net/plone/5.2/5.2.14). One warning there: we could no longer test this on Python 2.7. It *should* work though.

## Issues

If you find any issues, please report them in the [main issue tracker](https://github.com/plone/Products.CMFPlone/issues).

Changelog 

View the full changelog

Zope 4.8.7 → 4.8.10
-------------------

- Allow only some image types to be displayed inline. Force download for others, especially SVG images. By default we use a list of allowed types. You can switch a to a list of denied types by setting OS environment variable OFS_IMAGE_USE_DENYLIST=1. You can override the allowed list with environment variable ALLOWED_INLINE_MIMETYPES and the disallowed list with DISALLOWED_INLINE_MIMETYPES. Separate multiple entries by either comma or space. This change only affects direct URL access. <img src="image.svg" /> works the same as before. (CVE-2023-42458) See security advisory.
- Tighten down the ZMI frame source logic to only allow site-local sources. Problem reported by Miguel Segovia Gil.
- Update RestrictedPython to version 5.4 to fix a potential a security issue. (CVE-2023-41039)
- Update AccessControl to version 4.4 to fix a potential a security issue. (CVE-2023-41050)
- Sanitize tainting fixing #1095
- Restore filename on code objects of objects returned from App.Extensions.getObject(). This got lost in 4.0a6.
- Only set response header Content-Type as text/html on exception views when the response has content. (#1089)
Update dependencies to the latest releases for each supported Python version.

plone.recipe.zope2instance: 6.12.0 → 6.12.1
-------------------------------------------
Documentation:

- Update README: for ``RotatingFileHandler`` ``maxCount`` is not a valid keyword argument.
  Use ``backupCount``.
  [gforcada] (#190)

plone.releaser: 1.8.8 → 1.8.9
-----------------------------
Bug fixes:

- Allow disabling PyPI rights check, as this does not know how to check organisations.
  Set env variable ``PLONE_RELEASER_CHECK_PYPI_ACCESS=0`` if you want to disable it.
  Also, we do not check PyPI if the user is `__token__`, so using an API token.
  [maurits] (#50)

- Fix missing changelog entries when running ``bin/manage changelog``.
  [maurits] (#60)

Plone: 5.2.13 → 5.2.14
----------------------
Bug fixes:

- Release Plone 5.2.14.
  [maurits]

plone.app.multilingual: 5.6.4 → 5.6.6
-------------------------------------
Bug fixes:

- Fix setting Indonesian language cookie on site root: must be ``id``, not ``id-id``.
  [maurits] (#304)

- Fix ``set_recursive_language`` to actually find child objects.
  [maurits] (#304)

- Root language switcher: redirect to ``id-id`` if the Indonesian language is preferred.
  [maurits] (#304)

- Do not unset the language on the Indonesian root language folder when saving the control panel.
  This language has ``id`` as code. This is not allowed as an id in Plone, so it is created as ``id-id`` instead.
  This needs some special handling.
  Added upgrade to recursively fix this language folder to set the Indonesian language. This is only done when the folder itself has the wrong language.
  [maurits] (#304)

plone.app.upgrade: 2.1.6 → 2.1.7
--------------------------------
Bug fixes:

- Added upgrade to 5222, Plone 5.2.14.
  [maurits] (#5222)

plone.namedfile: 5.6.0 → 5.6.1
------------------------------
Bug fixes:

- Fix stored XSS (Cross Site Scripting) for SVG images.
  Done by forcing a download instead of displaying inline.
  See `security advisory <https://github.com/plone/plone.namedfile/security/advisories/GHSA-jj7c-jrv4-c65x>`_.
  [maurits] (#1)

plone.restapi: 7.8.2 → 7.8.3
----------------------------
Bug fixes:

- Fix content serializer with an old version of an item that was renamed. @davisagli (#1651)

Products.CMFCore: 2.7.0 → 2.7.1
-------------------------------
- Make ``decodeFolderFilter`` and ``encodeFolderFilter`` non-public.
  This is the workaround from `CVE-2023-36814 <https://github.com/zopefoundation/Products.CMFCore/security/advisories/GHSA-4hpj-8rhv-9x87>`_.

Products.CMFPlone: 5.2.13 → 5.2.14
----------------------------------
Bug fixes:

- Update metadata version to 5222, Plone 5.2.14.
  [maurits] (#5222)

0 blueprints and 0 bugs targeted

There are no feature specifications or bug tasks targeted to this milestone. The project's maintainer, driver, or bug supervisor can target specifications and bug tasks to this milestone to track the things that are expected to be completed for the release.

This milestone contains Public information
Everyone can see this information.