[ZODB-Dev] CVE-2009-0668 and CVE-2009-0669: Releases to fix ZODB ZEO server vulnerabilities
Jim Fulton
jim at zope.com
Thu Aug 6 13:36:38 EDT 2009
On Thu, Aug 6, 2009 at 1:31 PM, Chris Withers<chris at simplistix.co.uk> wrote:
> Hi Jim,
>
> Jim Fulton wrote:
>>
>> CVE-2009-0668 Arbitrary Python code execution in ZODB ZEO storage servers
>> CVE-2009-0669 Authentication bypass in ZODB ZEO storage servers
>
> Where are the actual CVE entries for these? http://cve.mitre.org doesn't
> seem to know much about either of them...
These were reserved a couple of weeks ago. My understanding is that
MITRE will update these based on our announcement.
>> The vulnerabilities only apply if you are using ZEO to share a
>> database among multiple applications or application instances and if
>> untrusted clients are able to connect to your ZEO servers.
>
> So if only trusted zeo clients can connect to the storage server (which is
> the only sane thing to do anyway, given that zeo is an unencrypted protocol)
> then neither of these is a problem?
Yup. Note that some people probably relied on the authentication
protocol to allow wider access. Also, if someone was making a
read-only connection available, they'd be vulnerable.
Jim
--
Jim Fulton
More information about the ZODB-Dev
mailing list