USN-848-1: Zope vulnerabilities

Releases

• Ubuntu 9.04
• Ubuntu 8.10
• Ubuntu 8.04
• Ubuntu 6.06

Packages

• zope3 -

Details

It was discovered that the Zope Object Database (ZODB) database server
(ZEO) improperly filtered certain commands when a database is shared among
multiple applications or application instances. A remote attacker could
send malicious commands to the server and execute arbitrary code.
(CVE-2009-0668)

It was discovered that the Zope Object Database (ZODB) database server
(ZEO) did not handle authentication properly when a database is shared
among multiple applications or application instances. A remote attacker
could use this flaw to bypass security restrictions. (CVE-2009-0669)

It was discovered that Zope did not limit the number of new object ids a
client could request. A remote attacker could use this flaw to consume a
huge amount of resources, leading to a denial of service. (No CVE
identifier)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 9.04

• zope3 - 3.4.0-0ubuntu3.3

Ubuntu 8.10

• zope3 - 3.3.1-7ubuntu0.2

Ubuntu 8.04

• zope3 - 3.3.1-5ubuntu2.2

Ubuntu 6.06

• zope3 - 3.2.1-1ubuntu1.2

In general, a standard system upgrade is sufficient to effect the
necessary changes.

References

• CVE-2009-0668
• CVE-2009-0669