Vulnerabilities have been found in the Zope Object Database (ZODB) Zope Enterprise Objects (ZEO) network protocol that allow:
CVE-2009-0668 Arbitrary Python code execution in ZODB ZEO storage servers CVE-2009-0669 Authentication bypass in ZODB ZEO storage servers The vulnerabilities only apply if you are using ZEO to share a database among multiple applications or application instances and if untrusted clients are able to connect to your ZEO servers. The first vulnerability (CVE-2009-0668) was introduced in ZODB 3.3 (Zope 2.8). The second vulnerability (CVE-2009-0669) was introduced in ZODB 3.2 (Zope 2.7). Overview These vulnerabilities are addressed by updates to ZODB. Newer releases of Zope are also being provided for people who get ZODB with Zope releases. A new release of ZODB is available here: http://pypi.python.org/pypi/ZODB3/3.8.2 (There is also a new development release at http://pypi.python.org/pypi/ZODB3/3.9.0b5.) New Zope releases that include the fixes can be found here: http://www.zope.org/Products/Zope/2.10.9 http://www.zope.org/Products/Zope/2.11.4 http://www.zope.org/Products/Zope/2.8.11 http://www.zope.org/Products/Zope/2.9.11 http://www.zope.org/Products/Zope3/3.1.1 http://www.zope.org/Products/Zope3/3.2.4 http://www.zope.org/Products/Zope3/3.3.3 http://www.zope.org/Products/Zope3/3.4.1 We recommend updating any ZEO storoage servers you're running to ZODB 3.8.2 (or ZODB 3.9.0b5) or to ZODB software provided with the Zope releases listed above. These versions support ZEO clients as old as ZODB 3.2. It isn't necessary to update client software (such as Zope application servers). Restricting access to ZEO storage servers It is very important to restrict write access to ZODB databases. These releases only protect against vulnerabilities in the ZEO network protocol. ZODB uses Python pickles to store data. Loading data from the database can cause arbitrary code to be executed as part of object deserialization. Clients have full access to manipulate database data. For this reason, it is very important that only trusted clients be allowed to write to ZODB databases. Jim -- Jim Fulton _______________________________________________ Zope-Announce maillist - Zope-Announce@zope.org http://mail.zope.org/mailman/listinfo/zope-announce Zope-Announce for Announcements only - no discussions (Related lists - Users: http://mail.zope.org/mailman/listinfo/zope Developers: http://mail.zope.org/mailman/listinfo/zope-dev )