diff --git a/release/RELEASE-NOTES.md b/release/RELEASE-NOTES.md
index 788104110c..36c9961cce 100644
--- a/release/RELEASE-NOTES.md
+++ b/release/RELEASE-NOTES.md
@@ -1,24 +1,40 @@
-# Release notes for Plone 6.0.7rc1
+# Release notes for Plone 6.0.7
-* Last updated: Thursday September 14, 2023
+* Released: Thursday September 21, 2023
* Check the [release schedule](https://plone.org/download/release-schedule).
* Read the [upgrade guide](https://6.docs.plone.org/upgrade/index.html), explaining the biggest changes compared to 5.2.
-* Canonical place for these [release notes](https://dist.plone.org/release/6.0-dev/RELEASE-NOTES.md) and the full [packages changelog](https://dist.plone.org/release/6.0-dev/changelog.txt).
+* Canonical place for these [release notes](https://dist.plone.org/release/6.0.7/RELEASE-NOTES.md) and the full [packages changelog](https://dist.plone.org/release/6.0.7/changelog.txt).
If you want to jump straight in, here are two important links:
-* With pip you can use the constraints file at [https://dist.plone.org/release/6.0-dev/constraints.txt](https://dist.plone.org/release/6.0-dev/constraints.txt)
-* With Buildout you can use the versions file at [https://dist.plone.org/release/6.0-dev/versions.cfg](https://dist.plone.org/release/6.0-dev/versions.cfg), plus optionally [`versions-extra.cfg`](https://dist.plone.org/release/6.0-dev/versions-extra.cfg) and [`versions-ecosystem.cfg`](https://dist.plone.org/release/6.0-dev/versions-ecosystem.cfg).
+* With pip you can use the constraints file at [https://dist.plone.org/release/6.0.7/constraints.txt](https://dist.plone.org/release/6.0.7/constraints.txt)
+* With Buildout you can use the versions file at [https://dist.plone.org/release/6.0.7/versions.cfg](https://dist.plone.org/release/6.0.7/versions.cfg), plus optionally [`versions-extra.cfg`](https://dist.plone.org/release/6.0.7/versions-extra.cfg) and [`versions-ecosystem.cfg`](https://dist.plone.org/release/6.0.7/versions-ecosystem.cfg).
## Highlights
Major changes since 6.0.6:
-* `Zope`: Security fixes in `AccessControl` and `RestrictedPython`. See [community announcement](https://community.plone.org/t/zope-4-8-9-and-5-8-4-released-with-a-security-fix/17849).
+* This includes security fixes from today's announcement:
+ * https://community.plone.org/t/plone-security-advisory-2023-09-21/17941
+ * https://plone.org/security/hotfix/20230921
+* `Zope`:
+ * Security fixes in `AccessControl` and `RestrictedPython`. See [community announcement](https://community.plone.org/t/zope-4-8-9-and-5-8-4-released-with-a-security-fix/17849).
+ * Allow only some image types to be displayed inline. Force download for others, especially SVG images.
+ * Tighten down the ZMI frame source logic to only allow site-local sources.
+ * Added image dimensions to SVG file properties.
* `plone.namedfile`:
+ * Fix stored XSS (Cross Site Scripting) for SVG images.
* Add internal modification timestamp with fallback to _p_mtime.
* Use new internal modification timestamp as part of the hash key for scales.
+ * Fixed issue with SVG images that contain extensive metadata.
+* `plone.rest`: When ``++api++`` is in the url multiple times, redirect to the proper url.
+* `plone.restapi`:
+ * Fix stored XSS (Cross Site Scripting) for SVG image in user portrait.
+ * Allow passing additional parameters to the delete users endpoint to request not to delete local roles and memberareas.
+ * When serializing blocks, `image_scales` is now added to blocks that contain a resolveuid-based `url`.
+ * When deserializing blocks, `image_scales` is removed.
+ * Add `visit_blocks` util for finding all nested blocks.
* `plone.dexterity`: Fix a memory leak. For details see [issue 3829](https://github.com/plone/Products.CMFPlone/issues/3829).
* `plone.app.widgets`: Make this package deprecated. It still works, and is included in Plone 6.0, but Plone 6.1 will not ship with it.
Widget base classes have been moved to ``plone.app.z3cform.widgets.patterns``.
@@ -29,20 +45,14 @@ Major changes since 6.0.6:
To add it to an existing site, run `plone.volto.upgrades.add_block_types_index` manually.
* `plone.app.multilingual`: Fixes for Indonesian in a multilingual site. Fix `set_recursive_language` to actually find child objects.
* `plone.app.querystring`: Fix the `currentUser`` operation when the current user's username is different from their user id.
-* `plone.namedfile`: Fixed issue with SVG images that contain extensive metadata.
-* `plone.staticresources`: update to Mockup 5.1.4:
+* `plone.staticresources`: Update Bootstrap to `5.3.2`, bootstrap-icons to `1.11.1` and Mockup to `5.1.5`:
* pat structure: Fix popover-structure-columns, use 2-column layout. (9fb499e)
* pat structure: Fix sticky position when toolbar is on top.
- * pat tinymce: Fix image modal with selected image.
-* `plonetheme.barceloneta`: Update Bootstrap to `5.3.1`
+ * pat tinymce: Fix image modal with selected image. Properly await the select2 initialization when using it from the insert image or insert link dialogs.
+* `plonetheme.barceloneta`: Update Bootstrap to `5.3.2`
* `Products.CMFCore`:
* Improve handling of PortalFolder filter input.
* Provide a way to not publish items that are acquired.
-* `plone.restapi`:
- * Allow passing additional parameters to the delete users endpoint to request not to delete local roles and memberareas.
- * When serializing blocks, `image_scales` is now added to blocks that contain a resolveuid-based `url`.
- * When deserializing blocks, `image_scales` is removed.
- * Add `visit_blocks` util for finding all nested blocks.
* `plone.app.locales`: Updates to nl translations.
diff --git a/release/changelog.txt b/release/changelog.txt
index 371fcf5209..2195fbe803 100644
--- a/release/changelog.txt
+++ b/release/changelog.txt
@@ -1,7 +1,13 @@
-Zope 5.8.3 → 5.8.4
+Zope 5.8.3 → 5.8.5
------------------
+- Allow only some image types to be displayed inline. Force download for others, especially SVG images. By default we use a list of allowed types. You can switch a to a list of denied types by setting OS environment variable OFS_IMAGE_USE_DENYLIST=1. You can override the allowed list with environment variable ALLOWED_INLINE_MIMETYPES and the disallowed list with DISALLOWED_INLINE_MIMETYPES. Separate multiple entries by either comma or space. This change only affects direct URL access. works the same as before. (CVE-2023-42458) See security advisory.
+- Tighten down the ZMI frame source logic to only allow site-local sources. Problem reported by Miguel Segovia Gil.
+- Added image dimensions to SVG file properties #1146.
+- Fix username not in access log for error requests, see issue #1155.
+- Update to newest compatible versions of dependencies.
+- Add preliminary support for Python 3.12rc3.
- Disable a ZCatalog (more precisly: Products.PluginIndexes) performance test which occasionally fails on GitHub. For details, see #1136.
- Restore filename on code objects of objects returned from App.Extensions.getObject(). This got lost in 4.0a6.
- Update to newest compatible versions of dependencies.
@@ -11,7 +17,6 @@ Zope 5.8.3 → 5.8.4
- Update RestrictedPython to version 6.2 to mitigate a security problem. (CVE-2023-41039)
- Update AccessControl to version 6.2 to mitigate a security problem. (CVE-2023-41050)
-
pip: 23.1.2 → 23.2
------------------
@@ -150,10 +155,13 @@ Bug fixes:
[gforcada] (#147)
-plone.app.upgrade: 3.0.6 → 3.0.7
+plone.app.upgrade: 3.0.6 → 3.0.8
--------------------------------
Bug fixes:
+- Fix error in site syndication settings when upgrading.
+ [maurits] (#315)
+
- Add Upgrade Step to fix ISyndicationSettings
[1letter] (#315)
@@ -237,7 +245,7 @@ Internal:
[plone devs] (55bda5c9)
-plone.namedfile: 6.1.1 → 6.2.0
+plone.namedfile: 6.1.1 → 6.2.1
------------------------------
New features:
@@ -249,6 +257,11 @@ New features:
Bug fixes:
+- Fix stored XSS (Cross Site Scripting) for SVG images.
+ Done by forcing a download instead of displaying inline.
+ See `security advisory `_.
+ [maurits] (#1)
+
- Fixed the issue where SVG images containing extensive metadata were not being displayed
correctly (resulting in a width/height of 1px). This problem could occur when the
works the same as before. (CVE-2023-42458) See security advisory.
+- Tighten down the ZMI frame source logic to only allow site-local sources. Problem reported by Miguel Segovia Gil.
+- Added image dimensions to SVG file properties #1146.
+- Fix username not in access log for error requests, see issue #1155.
+- Update to newest compatible versions of dependencies.
+- Add preliminary support for Python 3.12rc3.
- Disable a ZCatalog (more precisly: Products.PluginIndexes) performance test which occasionally fails on GitHub. For details, see #1136.
- Restore filename on code objects of objects returned from App.Extensions.getObject(). This got lost in 4.0a6.
- Update to newest compatible versions of dependencies.
@@ -11,7 +17,6 @@ Zope 5.8.3 → 5.8.4
- Update RestrictedPython to version 6.2 to mitigate a security problem. (CVE-2023-41039)
- Update AccessControl to version 6.2 to mitigate a security problem. (CVE-2023-41050)
-
pip: 23.1.2 → 23.2
------------------
@@ -150,10 +155,13 @@ Bug fixes:
[gforcada] (#147)
-plone.app.upgrade: 3.0.6 → 3.0.7
+plone.app.upgrade: 3.0.6 → 3.0.8
--------------------------------
Bug fixes:
+- Fix error in site syndication settings when upgrading.
+ [maurits] (#315)
+
- Add Upgrade Step to fix ISyndicationSettings
[1letter] (#315)
@@ -237,7 +245,7 @@ Internal:
[plone devs] (55bda5c9)
-plone.namedfile: 6.1.1 → 6.2.0
+plone.namedfile: 6.1.1 → 6.2.1
------------------------------
New features:
@@ -249,6 +257,11 @@ New features:
Bug fixes:
+- Fix stored XSS (Cross Site Scripting) for SVG images.
+ Done by forcing a download instead of displaying inline.
+ See `security advisory