Merge pull request from GHSA-g4gq-j4p2-j8fr

* - require AccessControl 4.3 * - fix wording [ci skip]
zopefoundation · Jul 31, 2021 · 869f947 · 869f947
1 parent 3291568
commit 869f947
Show file tree

Hide file tree

Showing 5 changed files with 8 additions and 4 deletions.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -10,6 +10,10 @@ https://zope.readthedocs.io/en/2.13/CHANGES.html
 4.6.3 (unreleased)
 ------------------
 
+- Update the ``AccessControl`` version pin to fix a remote code execution issue
+  (see `AccessControl security advisory GHSA-qcx9-j53g-ccgf
+  <https://github.com/zopefoundation/AccessControl/security/advisories/GHSA-qcx9-j53g-ccgf>`_)
+
 - Prevent ``DeprecationWarnings`` from moved imports in ``AccessControl``
 
 - make sure "Manager" users can always modify proxy roles

diff --git a/constraints.txt b/constraints.txt
@@ -1,4 +1,4 @@
-AccessControl==4.2
+AccessControl==4.3
 Acquisition==4.7
 AuthEncoding==4.2.1
 BTrees==4.9.2

diff --git a/requirements-full.txt b/requirements-full.txt
@@ -1,5 +1,5 @@
 Zope==<5
-AccessControl==4.2
+AccessControl==4.3
 Acquisition==4.7
 AuthEncoding==4.2.1
 BTrees==4.9.2

diff --git a/setup.py b/setup.py
@@ -70,7 +70,7 @@ def _read_file(filename):
     package_dir={'': 'src'},
     python_requires='>=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*,<3.9',
     install_requires=[
-        'AccessControl >= 4.2',
+        'AccessControl >= 4.3, <5.0',
         'Acquisition',
         'BTrees',
         'Chameleon >= 3.7.0',

diff --git a/versions-prod.cfg b/versions-prod.cfg
@@ -5,7 +5,7 @@
 Zope = <5
 Zope2 = 4.0
 # AccessControl 5+ no longer supports Zope 4.
-AccessControl = 4.2
+AccessControl = 4.3
 Acquisition = 4.7
 AuthEncoding = 4.2.1
 BTrees = 4.9.2