Your message dated Fri, 28 Aug 2009 10:33:22 +0000
with message-id <[email protected]>
and subject line Bug#540465: fixed in zodb 1:3.8.2-1
has caused the Debian Bug report #540465,
regarding CVE-2009-0668, CVE-2009-0669
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
540465: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=540465
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: python2.4-zodb
Severity: serious
Tags: security patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
Two vulnerabilities have been reported in Zope, which can be exploited by
malicious people to bypass certain
security restrictions and compromise a vulnerable system.
1) A missing access control check was found in the way Zope Enterprise Objects
(ZEO) used to manage remote connections to the Zope server. A remote attacker
could use this flaw to execute arbitrary Python code in the context of
Zope server. (CVE-2009-0668)[0]
2) A weakness was found in the Zope Enterprise Objects (ZEO) authentication
protocol. A remote attacker could use this flaw to bypass the authentication
to the Zope Object Database (ZODB). (CVE-2009-0669)[1]
If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0668
http://security-tracker.debian.net/tracker/CVE-2009-0668
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0669
http://security-tracker.debian.net/tracker/CVE-2009-0669
http://mail.zope.org/pipermail/zope-announce/2009-August/002220.html
Cheers,
Giuseppe.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkp9OB0ACgkQNxpp46476aqt/gCcC2MNKL2TR2TrD60UVSl/jRNj
bSMAoI+qofGE4eDGPa2cM2U8oa4IFCeA
=EALv
-----END PGP SIGNATURE-----
=== StorageServer.py
==================================================================
--- StorageServer.py (revision 167632)
+++ StorageServer.py (local)
@@ -111,7 +111,7 @@
for func in self.extensions:
self._extensions[func.func_name] = None
- def finish_auth(self, authenticated):
+ def _finish_auth(self, authenticated):
if not self.auth_realm:
return 1
self.authenticated = authenticated
@@ -421,6 +421,7 @@
def new_oids(self, n=100):
"""Return a sequence of n new oids, where n defaults to 100"""
+ n = min(n, 100)
if self.read_only:
raise ReadOnlyError()
if n <= 0:
=== auth/auth_digest.py
==================================================================
--- auth/auth_digest.py (revision 167632)
+++ auth/auth_digest.py (local)
@@ -121,7 +121,7 @@
check = hexdigest("%s:%s" % (h_up, challenge))
if check == response:
self.connection.setSessionKey(session_key(h_up, self._key_nonce))
- return self.finish_auth(check == response)
+ return self._finish_auth(check == response)
extensions = [auth_get_challenge, auth_response]
=== tests/auth_plaintext.py
==================================================================
--- tests/auth_plaintext.py (revision 167632)
+++ tests/auth_plaintext.py (local)
@@ -41,7 +41,7 @@
self.connection.setSessionKey(session_key(username,
self.database.realm,
password))
- return self.finish_auth(dbpw == password_dig)
+ return self._finish_auth(dbpw == password_dig)
class PlaintextClient(Client):
extensions = ["auth"]
=== zrpc/connection.py
==================================================================
--- zrpc/connection.py (revision 167632)
+++ zrpc/connection.py (local)
@@ -24,7 +24,7 @@
import ThreadedAsync
from ZEO.zrpc import smac
from ZEO.zrpc.error import ZRPCError, DisconnectedError
-from ZEO.zrpc.marshal import Marshaller
+from ZEO.zrpc.marshal import Marshaller, ServerMarshaller
from ZEO.zrpc.trigger import trigger
from ZEO.zrpc.log import short_repr, log
from ZODB.loglevels import BLATHER, TRACE
@@ -883,6 +883,7 @@
def __init__(self, sock, addr, obj, mgr):
self.mgr = mgr
self.__super_init(sock, addr, obj, 'S')
+ self.marshal = ServerMarshaller()
self.obj.notifyConnected(self)
def handshake(self):
=== zrpc/marshal.py
==================================================================
--- zrpc/marshal.py (revision 167632)
+++ zrpc/marshal.py (local)
@@ -52,6 +52,20 @@
level=logging.ERROR)
raise
+class ServerMarshaller(Marshaller):
+
+ def decode(self, msg):
+ """Decodes msg and returns its parts"""
+ unpickler = cPickle.Unpickler(StringIO(msg))
+ unpickler.find_global = server_find_global
+
+ try:
+ return unpickler.load() # msgid, flags, name, args
+ except:
+ log("can't decode message: %s" % short_repr(msg),
+ level=logging.ERROR)
+ raise
+
_globals = globals()
_silly = ('__doc__',)
@@ -78,3 +92,21 @@
return r
raise ZRPCError("Unsafe global: %s.%s" % (module, name))
+
+def server_find_global(module, name):
+ """Helper for message unpickler"""
+ try:
+ m = __import__(module, _globals, _globals, _silly)
+ except ImportError, msg:
+ raise ZRPCError("import error %s: %s" % (module, msg))
+
+ try:
+ r = getattr(m, name)
+ except AttributeError:
+ raise ZRPCError("module %s has no global %s" % (module, name))
+
+ safe = getattr(r, '__no_side_effects__', 0)
+ if safe:
+ return r
+
+ raise ZRPCError("Unsafe global: %s.%s" % (module, name))
--- End Message ---
--- Begin Message ---
Source: zodb
Source-Version: 1:3.8.2-1
We believe that the bug you reported is fixed in the latest version of
zodb, which is due to be installed in the Debian FTP archive:
python-zodb_3.8.2-1_amd64.deb
to pool/main/z/zodb/python-zodb_3.8.2-1_amd64.deb
zodb_3.8.2-1.diff.gz
to pool/main/z/zodb/zodb_3.8.2-1.diff.gz
zodb_3.8.2-1.dsc
to pool/main/z/zodb/zodb_3.8.2-1.dsc
zodb_3.8.2.orig.tar.gz
to pool/main/z/zodb/zodb_3.8.2.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Fabio Tranchitella <[email protected]> (supplier of updated zodb package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 28 Aug 2009 11:06:03 +0200
Source: zodb
Binary: python-zodb
Architecture: source amd64
Version: 1:3.8.2-1
Distribution: unstable
Urgency: high
Maintainer: Debian/Ubuntu Zope Team
<[email protected]>
Changed-By: Fabio Tranchitella <[email protected]>
Description:
python-zodb - set of tools for using the Zope Object Database (ZODB)
Closes: 540465 541972
Changes:
zodb (1:3.8.2-1) unstable; urgency=high
.
* New upstream release, fixes security issues. (Closes: #540465)
* Standards-Version: 3.8.3, no changed required.
* A rebuild is enough to get rid of the python2.3 dependency.
(Closes: #541972)
Checksums-Sha1:
3766c79b1b25054e51ce4dbe03ddde35126dea9f 1236 zodb_3.8.2-1.dsc
c01e45eec55fcd1e88b78fc187e67a2992c2264a 797599 zodb_3.8.2.orig.tar.gz
f7436dd74a70bc9391ffc3144ccf693dd2b71806 3939 zodb_3.8.2-1.diff.gz
e9386ae8a6ca22af20971599c7c97974ae05b23d 1247352 python-zodb_3.8.2-1_amd64.deb
Checksums-Sha256:
fb0d99697e6314598e318469b953391a19041b02ced7a3ca44d16cffb31fd658 1236
zodb_3.8.2-1.dsc
8686fb7e10d1d4ec7f07c4ec7256f0d17b0583aea2cba4d62e012fa034ecfcab 797599
zodb_3.8.2.orig.tar.gz
e41a97a843ce06f22d8024da691df7ebe2f6d96d04ce8ca95c4660364074ca64 3939
zodb_3.8.2-1.diff.gz
ceb7bf8bf7fb0d5e9d7ec09a2f0aa9bca0fd96735537020952120f7026859b39 1247352
python-zodb_3.8.2-1_amd64.deb
Files:
c9ce12faa9c9b6335db5a4e858099913 1236 python extra zodb_3.8.2-1.dsc
4d4526a71641659be0cbd7319db31a19 797599 python extra zodb_3.8.2.orig.tar.gz
1a815d6ce89fb99ca5d164f2202bac2e 3939 python extra zodb_3.8.2-1.diff.gz
68e328d960194a9456834a5f6b7018ff 1247352 python extra
python-zodb_3.8.2-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkqXolEACgkQK/juK3+WFWRmcACfbb2HRY9zYJa5OD3diHbCM2Dk
CFoAnjrPKKqvCd2M9inbjZAlSGExDm1c
=UtH8
-----END PGP SIGNATURE-----
--- End Message ---
