Bug#540465: CVE-2009-0668, CVE-2009-0669

Giuseppe Iuculano giuseppe at iuculano.it
Sat Aug 8 08:32:31 UTC 2009


Package: python2.4-zodb
Severity: serious
Tags: security patch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Hi,

Two vulnerabilities have been reported in Zope, which can be exploited by
malicious people to bypass certain
security restrictions and compromise a vulnerable system.

1) A missing access control check was found in the way Zope Enterprise Objects
(ZEO) used to manage remote connections to the Zope server. A remote attacker
could use this flaw to execute arbitrary Python code in the context of
Zope server.  (CVE-2009-0668)[0]

2) A weakness was found in the Zope Enterprise Objects (ZEO) authentication
protocol. A remote attacker could use this flaw to bypass the authentication
to the Zope Object Database (ZODB).  (CVE-2009-0669)[1]

If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0668
    http://security-tracker.debian.net/tracker/CVE-2009-0668
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0669
    http://security-tracker.debian.net/tracker/CVE-2009-0669

    http://mail.zope.org/pipermail/zope-announce/2009-August/002220.html

Cheers,
Giuseppe.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkp9OB0ACgkQNxpp46476aqt/gCcC2MNKL2TR2TrD60UVSl/jRNj
bSMAoI+qofGE4eDGPa2cM2U8oa4IFCeA
=EALv
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: zeo.patch
Type: text/x-c++
Size: 3891 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-zope-developers/attachments/20090808/b783e561/attachment-0001.bin>


More information about the pkg-zope-developers mailing list