On Thu, Aug 6, 2009 at 1:31 PM, Chris Withers<ch...@simplistix.co.uk> wrote: > Hi Jim, > > Jim Fulton wrote: >> >> CVE-2009-0668 Arbitrary Python code execution in ZODB ZEO storage servers >> CVE-2009-0669 Authentication bypass in ZODB ZEO storage servers > > Where are the actual CVE entries for these? http://cve.mitre.org doesn't > seem to know much about either of them...
These were reserved a couple of weeks ago. My understanding is that MITRE will update these based on our announcement. >> The vulnerabilities only apply if you are using ZEO to share a >> database among multiple applications or application instances and if >> untrusted clients are able to connect to your ZEO servers. > > So if only trusted zeo clients can connect to the storage server (which is > the only sane thing to do anyway, given that zeo is an unencrypted protocol) > then neither of these is a problem? Yup. Note that some people probably relied on the authentication protocol to allow wider access. Also, if someone was making a read-only connection available, they'd be vulnerable. Jim -- Jim Fulton _______________________________________________ For more information about ZODB, see the ZODB Wiki: http://www.zope.org/Wikis/ZODB/ ZODB-Dev mailing list - ZODB-Dev@zope.org http://mail.zope.org/mailman/listinfo/zodb-dev
