[ZODB-Dev] CVE-2009-0668 and CVE-2009-0669: Releases to fix ZODB ZEO server vulnerabilities
Chris Withers
chris at simplistix.co.uk
Thu Aug 6 13:31:35 EDT 2009
Hi Jim,
Jim Fulton wrote:
> CVE-2009-0668 Arbitrary Python code execution in ZODB ZEO storage servers
> CVE-2009-0669 Authentication bypass in ZODB ZEO storage servers
Where are the actual CVE entries for these? http://cve.mitre.org doesn't
seem to know much about either of them...
> The vulnerabilities only apply if you are using ZEO to share a
> database among multiple applications or application instances and if
> untrusted clients are able to connect to your ZEO servers.
So if only trusted zeo clients can connect to the storage server (which
is the only sane thing to do anyway, given that zeo is an unencrypted
protocol) then neither of these is a problem?
cheers,
Chris
--
Simplistix - Content Management, Batch Processing & Python Consulting
- http://www.simplistix.co.uk
More information about the ZODB-Dev
mailing list