Debian 5.0: DSA-1863-1 Critical: Zope Remote Code Execution Threat

Several remote vulnerabilities have been discovered in the zope,
a feature-rich web application server written in python, that could
lead to arbitrary code execution in the worst case. The Common
Vulnerabilities and Exposures project identified the following problems:

Due to a programming error an authorization method in the StorageServer
component of ZEO was not used as an internal method. This allows a
malicious client to bypass authentication when connecting to a ZEO server
by simply calling this authorization method (CVE-2009-0668).

The ZEO server doesn't restrict the callables when unpickling data received
from a malicious client which can be used by an attacker to execute
arbitrary python code on the server by sending certain exception pickles.
This also allows an attacker to import any importable module as ZEO is
importing the module containing a callable specified in a pickle to test
for a certain flag (CVE-2009-0668).

The update also limits the number of new object ids a client can req...