Bug#540463: CVE-2009-0668, CVE-2009-0669
Giuseppe Iuculano
giuseppe at iuculano.it
Sat Aug 8 08:29:20 UTC 2009
Package: zope2.11
Severity: serious
Tags: security patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
Two vulnerabilities have been reported in Zope, which can be exploited by
malicious people to bypass certain
security restrictions and compromise a vulnerable system.
1) A missing access control check was found in the way Zope Enterprise Objects
(ZEO) used to manage remote connections to the Zope server. A remote attacker
could use this flaw to execute arbitrary Python code in the context of
Zope server. (CVE-2009-0668)[0]
2) A weakness was found in the Zope Enterprise Objects (ZEO) authentication
protocol. A remote attacker could use this flaw to bypass the authentication
to the Zope Object Database (ZODB). (CVE-2009-0669)[1]
If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0668
http://security-tracker.debian.net/tracker/CVE-2009-0668
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0669
http://security-tracker.debian.net/tracker/CVE-2009-0669
http://mail.zope.org/pipermail/zope-announce/2009-August/002220.html
Cheers,
Giuseppe.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkp9N10ACgkQNxpp46476apG5ACeLNiuLBV6XnbzBmHI/pDcrtxg
tDIAnjRibKWGS72AAhFhYgfppB9RfJ4A
=yln6
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: zeo.patch
Type: text/x-c++
Size: 3891 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-zope-developers/attachments/20090808/d1374f55/attachment.bin>
More information about the pkg-zope-developers
mailing list