3

USN-848-1: Zope vulnerabilities

view full story
linux-howto

http://www.ubuntu.com – Referenced CVEs:  CVE-2009-0668, CVE-2009-0669 Description:  =========================================================== Ubuntu Security Notice USN-848-1 October 14, 2009 zope3 vulnerabilities CVE-2009-0668, CVE-2009-0669 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 8.04 LTS Ubuntu 8.10 Ubuntu 9.04 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: zope3 3.2.1-1ubuntu1.2 Ubuntu 8.04 LTS: zope3 3.3.1-5ubuntu2.2 Ubuntu 8.10: zope3 3.3.1-7ubuntu0.2 Ubuntu 9.04: zope3 3.4.0-0ubuntu3.3 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: It was discovered that the Zope Object Database (ZODB) database server (ZEO) improperly filtered certain commands when a database is shared among multiple applications or application instances. A remote attacker could send malicious commands to the server and execute arbitrary code. (CVE-2009-0668) It was discovered that the Zope Object Database (ZODB) database server (ZEO) did not handle authentication properly when a database is shared among multiple applications or application instances. A remote attacker could use this flaw to bypass security restrictions. (CVE-2009-0669) It was discovered that Zope did not limit the number of new object ids a client could request. A remote attacker could use this flaw to consume a huge amount of resources, leading to a denial of service. (No CVE identifier) (Distributions)