Merge pull request from GHSA-g4gq-j4p2-j8fr

* - require AccessControl 5.2 * - fix wording [ci skip]
zopefoundation · Jul 31, 2021 · f72a18d · f72a18d
1 parent e9b9302
commit f72a18d
Show file tree

Hide file tree

Showing 5 changed files with 8 additions and 4 deletions.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -11,6 +11,10 @@ https://github.com/zopefoundation/Zope/blob/4.x/CHANGES.rst
 5.3 (unreleased)
 ----------------
 
+- Update the ``AccessControl`` version pin to fix a remote code execution issue
+  (see `AccessControl security advisory GHSA-qcx9-j53g-ccgf
+  <https://github.com/zopefoundation/AccessControl/security/advisories/GHSA-qcx9-j53g-ccgf>`_)
+
 - Prevent ``DeprecationWarnings`` from moved imports in ``AccessControl``
 
 - make sure "Manager" users can always modify proxy roles

diff --git a/constraints.txt b/constraints.txt
@@ -1,4 +1,4 @@
-AccessControl==5.0
+AccessControl==5.2
 Acquisition==4.7
 AuthEncoding==4.2.1
 BTrees==4.9.1

diff --git a/requirements-full.txt b/requirements-full.txt
@@ -1,5 +1,5 @@
 -e git+https://github.com/zopefoundation/Zope.git@master#egg=Zope
-AccessControl==5.0
+AccessControl==5.2
 Acquisition==4.7
 AuthEncoding==4.2.1
 BTrees==4.9.1

diff --git a/setup.py b/setup.py
@@ -69,7 +69,7 @@ def _read_file(filename):
     package_dir={'': 'src'},
     python_requires='>= 3.6',
     install_requires=[
-        'AccessControl >= 4.2',
+        'AccessControl >= 5.2',
         'Acquisition',
         'BTrees',
         'Chameleon >= 3.7.0',

diff --git a/versions-prod.cfg b/versions-prod.cfg
@@ -4,7 +4,7 @@
 [versions]
 Zope =
 Zope2 = 4.0
-AccessControl = 5.0
+AccessControl = 5.2
 Acquisition = 4.7
 AuthEncoding = 4.2.1
 BTrees = 4.9.1