Hi Jim,

Jim Fulton wrote:
>   CVE-2009-0668 Arbitrary Python code execution in ZODB ZEO storage servers
>   CVE-2009-0669 Authentication bypass in ZODB ZEO storage servers

Where are the actual CVE entries for these? http://cve.mitre.org doesn't 
seem to know much about either of them...

> The vulnerabilities only apply if you are using ZEO to share a
> database among multiple applications or application instances and if
> untrusted clients are able to connect to your ZEO servers.

So if only trusted zeo clients can connect to the storage server (which 
is the only sane thing to do anyway, given that zeo is an unencrypted 
protocol) then neither of these is a problem?



Simplistix - Content Management, Batch Processing & Python Consulting
            - http://www.simplistix.co.uk
For more information about ZODB, see the ZODB Wiki:

ZODB-Dev mailing list  -  ZODB-Dev@zope.org

Reply via email to