1

We are running an old version of plone (Version 2.0.5). (We will migrate next year to plone 4)

I was trying to install the Plone Hotfix 20121106, but (as mentionened in the installing description), the hotfix will not apply to the version 2.0.5 of plone.

Questions:

  • Are the security vulnerabilites also relevant for the plone version 2.0.5?
  • Is there another way to install the hot fix on that old version of plone?
Martijn Pieters
  • 1,048,767
  • 296
  • 4,058
  • 3,343
David
  • 11
  • 1

1 Answers1

0

Some of the security vulnerabilities do apply to 2.0.5, yes.

However, there are other unpatched vulnerabilities in 2.0.5 not addressed by this hotfix, and you want to move away from this old a version as soon as possible. The Plone security team does not provide official support for Plone versions this old; currently 3.x and 4.x releases are supported.

You can unzip the hotfix into your Products folder, and it should just work. I believe people have tested it on 2.0.x installations already; the test coverage certainly was run on 2.1. You'll have to run your own tests though to make sure nothing (important) breaks for you when the fix is installed.

Martijn Pieters
  • 1,048,767
  • 296
  • 4,058
  • 3,343
  • I already installed the hotfix as described in the installation instructions. The Hotfix is now vivisble in the ZMI under RootFolder -> Control Panel -> Products -> PloneHotfix20121106, but I did not see any LogEntries concerning the hotfix during startup of the Plone Instance. That's why I don't know for sure, if the hotfix has been successfully installed to my instance... – David Nov 09 '12 at 15:09
  • @David: Right, the hotfix uses `INFO` level messages to inform you what fixes it tried to apply, and it'll log a `WARN` level message if any failed to apply. 7 out of 22 patches are optional; they only apply if certain packages can be imported. Try running in `fg` foreground mode to see any log messages. – Martijn Pieters Nov 09 '12 at 15:15
  • by looking at the logging output during startup, I figured out that these hotfix parts could not be installed: - gtbn - membership_tool - queryCatalog - uid_catalog - renameObjectsByPaths - at_download - safe_html - vatat - random_string Questions: Are the parts not beeing installed very important? And if yes, what else can I do do make my plone site more safe. So far, we are using an intrusion detection system to make sure, nobody modifies zope content/scripts. – David Nov 20 '12 at 13:53
  • I'm going to have to give you the same response that the Security team would give you: 2.0 is no longer supported, and I have no idea if those would be problematic for you. 2.0 is just too old. – Martijn Pieters Nov 20 '12 at 14:46