CVE-2009-2701: Releases to fix ZODB ZEO server vulnerability
A vulnerability has been found in the Zope Object Database (ZODB) Zope Enterprise Objects (ZEO) server implementation that allows any file readable by the server to be read by clients and any file removable by the server to be removed. The vulnerability only applies if - you are using ZEO to share a database among multiple applications or application instances, - you allow untrused clients to connect to your ZEO server, and - the ZEO server is configured to support blobs. The vulnerability was introduced in ZODB 3.8. Overview This vulnerability is addressed by updates to ZODB. A new release of ZODB is available here: http://pypi.python.org/pypi/ZODB3/3.8.3 (There is also a new development release at http://pypi.python.org/pypi/ZODB3/3.9.0c2.) If you are using blobs, we recommend updating any ZEO storage servers you're running to ZODB 3.8.3 (or ZODB 3.9.0c2). These versions support ZEO clients as old as ZODB 3.2. It isn't necessary to update client software (such as Zope application servers). Restricting access to ZEO storage servers - It is very important to restrict write access to ZODB databases. These releases only protect against vulnerabilities in the ZEO network protocol. ZODB uses Python pickles to store data. Loading data from the database can cause arbitrary code to be executed as part of object deserialization. Clients have full access to manipulate database data. For this reason, it is very important that only trusted clients be allowed to write to ZODB databases. Jim -- Jim Fulton -- http://mail.python.org/mailman/listinfo/python-announce-list Support the Python Software Foundation: http://www.python.org/psf/donations/
[ANN] Pida 0.6beta3
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 We are proud to announce the hopfully last beta of Pida 0.6. [1] It was a long time since beta2 and a lot of changes happened since then: == Core Highlights == • multiprocessing language plugins Language plugins can now use a multiprocessing infrastructure which allows expensive operations to be done on other cpu cores. This increases the speed of plugins like python_lint and python dramatically and do not make the gui sluggish anymore. • project file caches Projects now have a filecache which allows fast queries to filenames and filetypes. The QuickOpen plugin provides a gui for this, allowing the user to open files to which parts of the name, path or filetype are known • very precise feature selection from LanguagePlugins • better filemonitor support • new documentation (needs some gui work tho) • lot of speedups • lot of usability enhancements • lots and lots of fixes == New Plugins == • RegexpToolkit - helps you develop and analyze regular expressions • QuickOpen - fast file opener for project files • WayPoint - autogenerates waypoints when you surf and edit files and allows to jump back and forth [1] http://pida.co.uk/blog/0.6beta3 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIcBAEBAgAGBQJKnGPYAAoJEFYpgV2Roepc2d4P/3VSMxAd1r3UJNS6p6jpDOLm bES6zm0RFZmsCYdFab/WEroD24vCgO4jdmgV9woQoobuO1lecTiSGYIpbq3HcXFs qEhiAD7jo4QdR+6josXe3crUbbUPanH4J3O4+MReOfNR+w/x3w9rT+zVGxwBa7GP oxiFYWD9BaufHJxqVaAfRN00sGCUGVXVLwdOL2OA3T10F5hNzy9zMTKvUVjWJePG K7xzuLeDyaxxBoZ54gMT5tg9RnCKnDfStT6qeETvRH/NkxcjFG2HJSoMkD6KtLY4 MzTJ0YbFvzp9MLxPEY/918frio5bvClRaExBdo6pOsuiIMzRrPudUlAn2fqP6Qkx BXJRfLoXYEWmpUzzpC2zwik7ZzP2z/AwSDzJZR7ie2yKoVayGApmOeEEcePZMJUI K2LicEcP7WdVMmzBRQcuW7A6KVlzWhhMsPig+dPiONaXDBeOncy+LXfx/9tqZ1rN 5GsrYUc94md0I7hhmo/YdYj214FKkerq5gAtwgvQBgqSo+iNL5Pu/tlGPj2b9Ph1 sZnaA2LfoiEzBIifiAD/rIY8pFcN5jCRTj44ntWWnvGQ+hAQwhjrNehrtdHaQGWD wpaUy4TB5OlW1FFdp7dwEarTCdUqYRiVAvXrATw2g71WvVaSutEHwpNlnfFeT3tc 9fLIivMy5nnsK5W/HNf0 =Ctpz -END PGP SIGNATURE- -- http://mail.python.org/mailman/listinfo/python-announce-list Support the Python Software Foundation: http://www.python.org/psf/donations/
