Bug#540462: CVE-2009-0668, CVE-2009-0669
Giuseppe Iuculano
giuseppe at iuculano.it
Sat Aug 8 08:26:33 UTC 2009
Package: zope3
Severity: serious
Tags: security patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
Two vulnerabilities have been reported in Zope, which can be exploited by
malicious people to bypass certain
security restrictions and compromise a vulnerable system.
1) A missing access control check was found in the way Zope Enterprise Objects
(ZEO) used to manage remote connections to the Zope server. A remote attacker
could use this flaw to execute arbitrary Python code in the context of
Zope server. (CVE-2009-0668)[0]
2) A weakness was found in the Zope Enterprise Objects (ZEO) authentication
protocol. A remote attacker could use this flaw to bypass the authentication
to the Zope Object Database (ZODB). (CVE-2009-0669)[1]
If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0668
http://security-tracker.debian.net/tracker/CVE-2009-0668
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0669
http://security-tracker.debian.net/tracker/CVE-2009-0669
http://mail.zope.org/pipermail/zope-announce/2009-August/002220.html
Cheers,
Giuseppe.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkp9NrUACgkQNxpp46476arpRgCfRoRAXrXRFh3e74TxS//3rSGF
xZIAn3i3/BbFZV0maWR0meELgaKlDXZ9
=G1ST
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: zeo.patch
Type: text/x-c++
Size: 3891 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-zope-developers/attachments/20090808/884f45e2/attachment.bin>
More information about the pkg-zope-developers
mailing list