Zope

Latest version: v5.10

Safety actively analyzes 630217 Python packages for vulnerabilities to keep your Python projects secure.

Scan your dependencies

Page 2 of 15

5.9

----------------

- Support form data in ``PUT`` requests (following the ``multipart`` example).
Fixes `1182 <https://github.com/zopefoundation/Zope/issues/1182>`_.

- Separate ZODB connection information into new ZODB Connections view.

- Move the cache detail links to the individual database pages.

- Fix the auto refresh functionality on the Reference Count page

- Update the Ace editor in the ZMI.

- Restrict access to static ZMI resources.

- Update to newest compatible versions of dependencies.

- Add ``paste.filter_app_factory`` entry point ``content_length``.
This WSGI middleware component can be used with
WSGI servers which do not follow the PEP 3333 recommendation
regarding input handling for requests with
``Content-Length`` header.
Allows administrators to fix
`1171 <https://github.com/zopefoundation/Zope/pull/1171>`_.

- Officially support Python 3.12.

5.8.6

------------------

- Make sure the object title in the ZMI breadcrumbs is quoted
to prevent a cross-site scripting issue.

- Update to newest compatible versions of dependencies.

- Base the inline/attachment logic developed for CVE-2023-42458
on the media type proper (ignore parameters and
whitespace and normalize to lowercase)
(`1167 <https://github.com/zopefoundation/Zope/pull/1167>`_).

5.8.5

Not secure
------------------

- Allow only some image types to be displayed inline. Force download for
others, especially SVG images. By default we use a list of allowed types.
You can switch a to a list of denied types by setting OS environment variable
``OFS_IMAGE_USE_DENYLIST=1``. You can override the allowed list with
environment variable ``ALLOWED_INLINE_MIMETYPES`` and the disallowed list
with ``DISALLOWED_INLINE_MIMETYPES``. Separate multiple entries by either
comma or space. This change only affects direct URL access.
``<img src="image.svg" />`` works the same as before. (CVE-2023-42458)
See `security advisory <https://github.com/zopefoundation/Zope/security/advisories/GHSA-wm8q-9975-xh5v>`_.

- Tighten down the ZMI frame source logic to only allow site-local sources.
Problem reported by Miguel Segovia Gil.

- Added image dimensions to SVG file properties
`1146 <https://github.com/zopefoundation/Zope/pull/1146>`_.

- Fix username not in access log for error requests, see issue
`1155 <https://github.com/zopefoundation/Zope/issues/1155>`_.

- Update to newest compatible versions of dependencies.

- Add preliminary support for Python 3.12rc3.

5.8.4

Not secure
------------------

- Disable a ``ZCatalog`` (more precisly: ``Products.PluginIndexes``)
performance test which occasionally fails on GitHub.
For details, see
`1136 <https://github.com/zopefoundation/Zope/issues/1136>`_.

- Restore filename on code objects of objects returned from
``App.Extensions.getObject()``. This got lost in 4.0a6.

- Update to newest compatible versions of dependencies.

- Add preliminary support for Python 3.12rc1.

- Make ``mapply`` ``__signature__`` aware.
This allows to publish methods decorated via a decorator
which sets ``__signature__`` on the wrapper to specify
the signature to use.
For details, see
`1134 <https://github.com/zopefoundation/Zope/issues/1134>`_.
Note: ``mapply`` still does not support keyword only, var positional
and var keyword parameters.

- Make Zope's parameters for denial of service protection configurable
`1141 <https://github.com/zopefoundation/Zope/issues/1141>`_.

- Update ``RestrictedPython`` to version 6.2 to mitigate a security problem.
(CVE-2023-41039)

- Update ``AccessControl`` to version 6.2 to mitigate a security problem.
(CVE-2023-41050)

5.8.3

Not secure
------------------

- Fix handling of a request parameter of type ``file`` if no value
has been specified;
fixes `1132 <https://github.com/zopefoundation/Zope/issues/1132>`_.

- Fix adding Page Templates without valid file input from the ZMI
(`1130 <https://github.com/zopefoundation/Zope/issues/1130>`_)

- Update to newest compatible versions of dependencies.

5.8.2

Not secure
------------------

- Allow ``ZPublisher`` to handle both a query string and a request body;
the request parameters from the query string are made available
in the request attribute ``form`` (a ``dict``),
the request body can be accessed via the request keys ``BODY``
(a ``bytes`` object) or ``BODYFILE`` (a file like object).
Fixes `1122 <https://github.com/zopefoundation/Zope/issues/1122>`_.

- Support access to the request's ``BODY`` key for WSGI servers
which hand over an unseekable request body (such as e.g.
``Gunicorn``).
Fixes `1125 <https://github.com/zopefoundation/Zope/issues/1125>`_.

- Do not break on GET requests that pass a query string
and a `Content-Type` header.
For details see `1117 <https://github.com/zopefoundation/Zope/pull/1117>`_.

- Implement code change suggestions from CodeQL scanning.

- Added Japanese translations for some Sphinx docs
(`1109 <https://github.com/zopefoundation/Zope/issues/1109>`_)

- Update to newest compatible versions of dependencies.

- Update zope.ini.in skel to support log paths that use backslashes.
(`1106 <https://github.com/zopefoundation/Zope/issues/1106>`_)

Page 2 of 15

© 2024 Safety CLI Cybersecurity Inc. All Rights Reserved.