The Zope Security Team has announced a hotfix, Products.Zope_Hotfix_20111024, for a vulnerability in the Zope Application Server, versions 2.12.x and Zope 2.13.x.
Most Plone installations are not vulnerable and do not need the hotfix. Please read this announcement carefully for instructions on how to determine whether or not you need to apply the hotfix.
The announced vulnerability is in Zope's default authentication system. When a Plone site is installed in a Zope database, the Plone installation usually replaces the basic Zope authentication system with the Pluggable Authentication System (PAS). PAS is not vulnerable to this problem.
You may verify that you are using PAS by using the Zope Management Interface to examine the acl_users object in the root of your Zope database.
If the title of the object reads "User Folder at /acl_users", your system is vulnerable and you should apply the hotfix.
If the title of the object reads "Pluggable Auth Service at /acl_users", your system is not vulnerable.
Versions Affected: Zope 2.12.x <= 2.12.20 and Zope 2.13.x <= 2.13.10 that do not have the Pluggable Authentication System installed.
Versions Not Affected: Zope installations where Plone installation has replaced the Zope baseline authentication system.
See the Zope Hotfix Announcement for details on installing the hotfix.
General questions about this announcement, Plone patching procedures, and availability of support may be addressed to the Plone support forums. If you have specific questions about this vulnerability or its handling, contact the Plone Security Team.
To report potentially security-related issues, please send a mail to the Plone Security Team at security@plone.org. The security team is always happy to credit individuals and companies who make responsible disclosures.