You are here: Home / Documentation / How To's / How to apply Plone security patches

How to apply Plone security patches

by nguyen — published Oct 04, 2011 11:05 AM, last modified Aug 16, 2016 10:50 AM
keep calm

Here's the overall process we use:

  • prepare your résumé
  • call up a headhunter
  • gird your loins
No, seriously, here's how we patch our several Plone servers:
  • Get on IRC chat.  If you need to get around a campus firewall, ssh tunnel to an outside machine and tell your IRC client to use the localhost server.  Or go to as an acceptable alternative.  In IRC get in the #weblion and #plone chat rooms.  In the #plone chat room there is usually a topic at the top that includes all the URLs you'll need.
  • Go to or the exact URL of the security advisory that was pre-announced.
  • If you aren't already, get on the Plone mailing lists at for general announcements and security announcements.
  • While you're waiting for the patch to be released at the specific announced time (UTC seems to be six hours ahead of Central Time unless daylight savings is in effect, so UTC could be five hours ahead), ssh to the server(s) you'll be patching.
  • Make a list of the Zopes you'll need to patch.  In our case this time they were all on one server, in various directories in /opt and in one other user home directory.
  • Once the patch is out, I download the zip file (not the egg... yet) and copy it to the /opt/Plone-versionwhatever/zeocluster/products directory, unzip it,
  • If you have a ZEO client that is not used by the public, restart it in fg mode to watch the log messages go by.  You should see a message about the hotfix having been applied.
  • Then restart that Zope (using our handy scripts - see this how-to folder for the script) in "fast" mode to avoid waiting for sessions to time out after five minutes (our default restart behaviour).
  • Do this for every affected Zope.
  • Then go back to each Zope and add the appropriate Products.PloneHotfixBLABLA entry to your buildout.cfg eggs list, so that if you (as I do) create new Zopes by grabbing older Zope's buildout.cfg and versions.cfg files you will have the hotfix in there already (otherwise it's too easy to forget!).  In our case we actually use buildout.cfg, uwosh.cfg, and sometimes polk.cfg (and associated versions.cfg files for each) so I update all of them to include the hotfix egg entry.
  • Relax.  Your job is done.  You can put your résumé away. :)