Giuseppe Iuculano
2009-Aug-08 08:29 UTC
[Secure-testing-team] Bug#540463: CVE-2009-0668, CVE-2009-0669
Package: zope2.11 Severity: serious Tags: security patch -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, Two vulnerabilities have been reported in Zope, which can be exploited by malicious people to bypass certain security restrictions and compromise a vulnerable system. 1) A missing access control check was found in the way Zope Enterprise Objects (ZEO) used to manage remote connections to the Zope server. A remote attacker could use this flaw to execute arbitrary Python code in the context of Zope server. (CVE-2009-0668)[0] 2) A weakness was found in the Zope Enterprise Objects (ZEO) authentication protocol. A remote attacker could use this flaw to bypass the authentication to the Zope Object Database (ZODB). (CVE-2009-0669)[1] If you fix the vulnerabilities please also make sure to include the CVE ids in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0668 http://security-tracker.debian.net/tracker/CVE-2009-0668 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0669 http://security-tracker.debian.net/tracker/CVE-2009-0669 http://mail.zope.org/pipermail/zope-announce/2009-August/002220.html Cheers, Giuseppe. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkp9N10ACgkQNxpp46476apG5ACeLNiuLBV6XnbzBmHI/pDcrtxg tDIAnjRibKWGS72AAhFhYgfppB9RfJ4A =yln6 -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: zeo.patch Type: text/x-c++ Size: 3891 bytes Desc: not available URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20090808/d1374f55/attachment.bin>