Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Zope: Announce

CVE-2009-0668 and CVE-2009-0669: Releases to fix ZODB ZEO server vulnerabilities

 

 

Zope announce RSS feed   Index | Next | Previous | View Threaded


jim at zope

Aug 6, 2009, 5:01 AM

Post #1 of 1 (1298 views)
Permalink
CVE-2009-0668 and CVE-2009-0669: Releases to fix ZODB ZEO server vulnerabilities

Vulnerabilities have been found in the Zope Object Database (ZODB)
Zope Enterprise Objects (ZEO) network protocol that allow:

CVE-2009-0668 Arbitrary Python code execution in ZODB ZEO storage servers
CVE-2009-0669 Authentication bypass in ZODB ZEO storage servers

The vulnerabilities only apply if you are using ZEO to share a
database among multiple applications or application instances and if
untrusted clients are able to connect to your ZEO servers.

The first vulnerability (CVE-2009-0668) was introduced in ZODB 3.3
(Zope 2.8). The second vulnerability (CVE-2009-0669) was introduced
in ZODB 3.2 (Zope 2.7).

Overview

These vulnerabilities are addressed by updates to ZODB. Newer
releases of Zope are also being provided for people who get ZODB with Zope
releases.

A new release of ZODB is available here:

http://pypi.python.org/pypi/ZODB3/3.8.2

(There is also a new development release at
http://pypi.python.org/pypi/ZODB3/3.9.0b5.)

New Zope releases that include the fixes can be found here:

http://www.zope.org/Products/Zope/2.10.9
http://www.zope.org/Products/Zope/2.11.4
http://www.zope.org/Products/Zope/2.8.11
http://www.zope.org/Products/Zope/2.9.11
http://www.zope.org/Products/Zope3/3.1.1
http://www.zope.org/Products/Zope3/3.2.4
http://www.zope.org/Products/Zope3/3.3.3
http://www.zope.org/Products/Zope3/3.4.1

We recommend updating any ZEO storoage servers you're running to ZODB
3.8.2 (or ZODB 3.9.0b5) or to ZODB software provided with the Zope
releases listed above. These versions support ZEO clients as old as
ZODB 3.2. It isn't necessary to update client software (such as Zope
application servers).

Restricting access to ZEO storage servers

It is very important to restrict write access to ZODB databases. These
releases only protect against vulnerabilities in the ZEO network
protocol. ZODB uses Python pickles to store data. Loading data from
the database can cause arbitrary code to be executed as part of object
deserialization. Clients have full access to manipulate database
data. For this reason, it is very important that only trusted clients
be allowed to write to ZODB databases.

Jim

--
Jim Fulton
_______________________________________________
Zope-Announce maillist - Zope-Announce [at] zope
http://mail.zope.org/mailman/listinfo/zope-announce

Zope-Announce for Announcements only - no discussions

(Related lists -
Users: http://mail.zope.org/mailman/listinfo/zope
Developers: http://mail.zope.org/mailman/listinfo/zope-dev )

Zope announce RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.