Update changelog and release notes.

release/RELEASE-NOTES.md

@@ -1,21 +1,34 @@
-# Release notes for Plone 5.2.14 (unreleased)
+# Release notes for Plone 5.2.14
 
-* Last updated: Thursday July 20, 2023
-* Expected final release: October 2023
+* Released: Thursday September 21, 2023
+* This is expected to be the last maintenance release.
 * Check the [release schedule](https://plone.org/download/release-schedule).
 * Read the [upgrade guide](https://5.docs.plone.org/manage/upgrading/version_specific_migration/upgrade_to_52.html), explaining the biggest changes compared to 5.1.
-* Canonical place for these [release notes](https://dist.plone.org/release/5.2-dev/RELEASE-NOTES.md) and the full [packages changelog](https://dist.plone.org/release/5.2-dev/changelog.txt).
+* Canonical place for these [release notes](https://dist.plone.org/release/5.2.14/RELEASE-NOTES.md) and the full [packages changelog](https://dist.plone.org/release/5.2.14/changelog.txt).
 
 If you want to jump straight in, here are two important links:
 
-* With pip you can use the constraints file at [https://dist.plone.org/release/5.2-dev/constraints.txt](https://dist.plone.org/release/5.2-dev/constraints.txt)
-* With Buildout you can use the versions file at [https://dist.plone.org/release/5.2-dev/versions.cfg](https://dist.plone.org/release/5.2-dev/versions.cfg).
+* With pip you can use the constraints file at [https://dist.plone.org/release/5.2.14/constraints.txt](https://dist.plone.org/release/5.2.14/constraints.txt)
+* With Buildout you can use the versions file at [https://dist.plone.org/release/5.2.14/versions.cfg](https://dist.plone.org/release/5.2.14/versions.cfg).
 
 
 ## Highlights
 
 Major changes since 5.2.13:
 
+* This includes security fixes from today's announcement:
+  * https://community.plone.org/t/plone-security-advisory-2023-09-21/17941
+  * https://plone.org/security/hotfix/20230921
+* `Zope`:
+  * Security fixes in `AccessControl` and `RestrictedPython`.  See [community announcement](https://community.plone.org/t/zope-4-8-9-and-5-8-4-released-with-a-security-fix/17849).
+  * Allow only some image types to be displayed inline. Force download for others, especially SVG images.
+  * Tighten down the ZMI frame source logic to only allow site-local sources.
+* `plone.namedfile`: Fix stored XSS (Cross Site Scripting) for SVG images.
+* `plone.rest`: When ``++api++`` is in the url multiple times, redirect to the proper url.
+* `plone.restapi`:
+  * Fix stored XSS (Cross Site Scripting) for SVG image in user portrait.
+* `Products.CMFCore`: Make `decodeFolderFilter` and `encodeFolderFilter` non-public.
+  This is the workaround from [CVE-2023-36814](https://github.com/zopefoundation/Products.CMFCore/security/advisories/GHSA-4hpj-8rhv-9x87).
 * `plone.app.multilingual`:
   * Fix various problems when using the Indonesian language in a multilingual setup.
     This language has ``id`` as code.  This is not allowed as an id in Plone, so it has always been created as ``id-id`` instead.
@@ -26,7 +39,9 @@ Major changes since 5.2.13:
 ## Last maintenance release
 
 Plone 5.2.14 is planned to be the last regular release of Plone 5.2.
-From here on, Plone 5.2 is out of maintenance support.
+This release was originally planned for October, but we moved it forward to have the security fixes in a full release.  If there are good reasons, we can still make a new release.
+
+After October 2023, Plone 5.2 is out of maintenance support.
 
 There is still one year of security support, until October 31, 2024.
 At that moment, even Python 3.8 is out of security support by the Python community.
@@ -61,13 +76,14 @@ wheel==0.38.4
 
 In general you are free to use whatever versions work for you, especially newer ones, but these worked for us.
 
-Note that `setuptools` 66 is more strict with what versions it can recognize.  If you run `pip` or `buildout` and it suddenly cannot find a package with a non-standard version, then this may be the cause.  This is why we stayed at version 65 for this release.  Likely, we will keep doing this for future Plone 5.2 releases.
+Note that `setuptools` 66 is more strict with what versions it can recognize.  If you run `pip` or `buildout` and it suddenly cannot find a package with a non-standard version, then this may be the cause.  This is why we stayed at version 65 for Plone 5.2.
 
 
 ## Installation
 
 For installation instructions, see the [documentation](https://5.docs.plone.org/manage/installing/index.html).
 
+There is still a [Unified Installer](https://launchpad.net/plone/5.2/5.2.14).  One warning there: we could no longer test this on Python 2.7.  It *should* work though.
 
 ## Issues
 

release/changelog.txt

@@ -1,74 +1,101 @@
-plone.versioncheck: 1.8.0 → 1.8.1
----------------------------------
+Zope 4.8.7 → 4.8.10
+-------------------
+
+- Allow only some image types to be displayed inline. Force download for others, especially SVG images. By default we use a list of allowed types. You can switch a to a list of denied types by setting OS environment variable OFS_IMAGE_USE_DENYLIST=1. You can override the allowed list with environment variable ALLOWED_INLINE_MIMETYPES and the disallowed list with DISALLOWED_INLINE_MIMETYPES. Separate multiple entries by either comma or space. This change only affects direct URL access. <img src="image.svg" /> works the same as before. (CVE-2023-42458) See security advisory.
+- Tighten down the ZMI frame source logic to only allow site-local sources. Problem reported by Miguel Segovia Gil.
+- Update RestrictedPython to version 5.4 to fix a potential a security issue. (CVE-2023-41039)
+- Update AccessControl to version 4.4 to fix a potential a security issue. (CVE-2023-41050)
+- Sanitize tainting fixing #1095
+- Restore filename on code objects of objects returned from App.Extensions.getObject(). This got lost in 4.0a6.
+- Only set response header Content-Type as text/html on exception views when the response has content. (#1089)
+Update dependencies to the latest releases for each supported Python version.
+
+plone.recipe.zope2instance: 6.12.0 → 6.12.1
+-------------------------------------------
+Documentation:
+
+- Update README: for ``RotatingFileHandler`` ``maxCount`` is not a valid keyword argument.
+  Use ``backupCount``.
+  [gforcada] (#190)
+
+
+plone.releaser: 1.8.8 → 1.8.9
+-----------------------------
 Bug fixes:
 
-- Catch empty version and ignore invalid versions in more places.
-  Needed when a package is explicitly unpinned, for example ``Zope =``.
-  [maurits]
+- Allow disabling PyPI rights check, as this does not know how to check organisations.
+  Set env variable ``PLONE_RELEASER_CHECK_PYPI_ACCESS=0`` if you want to disable it.
+  Also, we do not check PyPI if the user is `__token__`, so using an API token.
+  [maurits] (#50)
+
+- Fix missing changelog entries when running ``bin/manage changelog``.
+  [maurits] (#60)
 
 
-Plone: 5.2.12 → 5.2.13
+Plone: 5.2.13 → 5.2.14
 ----------------------
 Bug fixes:
 
-- Release Plone 5.2.13.
+- Release Plone 5.2.14.
   [maurits]
 
 
-plone.app.caching: 2.2.0 → 2.2.1
---------------------------------
+plone.app.multilingual: 5.6.4 → 5.6.6
+-------------------------------------
 Bug fixes:
 
-- Fixed tests that compared a stable time with a ten year old Expires handler.
-  [maurits] (#127)
+- Fix setting Indonesian language cookie on site root: must be ``id``, not ``id-id``.
+  [maurits] (#304)
 
+- Fix ``set_recursive_language`` to actually find child objects.
+  [maurits] (#304)
 
-plone.app.locales: 5.1.32 → 5.1.33
-----------------------------------
-- Update Italian widgets domain translations.
-  [cekk]
+- Root language switcher: redirect to ``id-id`` if the Indonesian language is preferred.
+  [maurits] (#304)
 
+- Do not unset the language on the Indonesian root language folder when saving the control panel.
+  This language has ``id`` as code.  This is not allowed as an id in Plone, so it is created as ``id-id`` instead.
+  This needs some special handling.
+  Added upgrade to recursively fix this language folder to set the Indonesian language.  This is only done when the folder itself has the wrong language.
+  [maurits] (#304)
 
-plone.app.portlets: 4.4.8 → 4.4.9
----------------------------------
-Bug fixes:
-
-- Fix login button name [wkbkhard] (#132)
 
-
-plone.app.upgrade: 2.1.5 → 2.1.6
+plone.app.upgrade: 2.1.6 → 2.1.7
 --------------------------------
 Bug fixes:
 
-- Added upgrade to 5221, Plone 5.2.13.
-  [maurits] (#5221)
+- Added upgrade to 5222, Plone 5.2.14.
+  [maurits] (#5222)
 
 
-plone.portlet.collection: 3.3.6 → 3.3.7
----------------------------------------
+plone.namedfile: 5.6.0 → 5.6.1
+------------------------------
 Bug fixes:
 
-- Convert collection to list before randomizing it
-  [witsch] (#42)
+- Fix stored XSS (Cross Site Scripting) for SVG images.
+  Done by forcing a download instead of displaying inline.
+  See `security advisory <https://github.com/plone/plone.namedfile/security/advisories/GHSA-jj7c-jrv4-c65x>`_.
+  [maurits] (#1)
 
 
-Products.CMFPlone: 5.2.12 → 5.2.13
-----------------------------------
+plone.restapi: 7.8.2 → 7.8.3
+----------------------------
 Bug fixes:
 
-- Officially drop Python 3.7 support, as this version is end of life.
-  We try not to break it though.
-  [maurits] (#37)
+- Fix content serializer with an old version of an item that was renamed. @davisagli (#1651)
 
-- Fixed TinyMCE menubar settings when creating new Plone Site.
-  It contained "toolsview" instead of "tools" and "view" due to a missing comma.
-  Nothing goes wrong in Plone 5, but it causes those two menus to miss in Plone 6.
-  [maurits] (#3785)
 
-- Do not publish unused CMFCore folder filter methods.
-  [maurits] (#3826)
+Products.CMFCore: 2.7.0 → 2.7.1
+-------------------------------
+- Make ``decodeFolderFilter`` and ``encodeFolderFilter`` non-public.
+  This is the workaround from `CVE-2023-36814 <https://github.com/zopefoundation/Products.CMFCore/security/advisories/GHSA-4hpj-8rhv-9x87>`_.
+
+
+Products.CMFPlone: 5.2.13 → 5.2.14
+----------------------------------
+Bug fixes:
 
-- Update metadata version to 5221, Plone 5.2.13.
-  [maurits] (#5221)
+- Update metadata version to 5222, Plone 5.2.14.
+  [maurits] (#5222)