Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 496
Alerts This Week
Warning Icon 1 496

Debian: DSA-2234-1 Critical: python-zodb Remote Execution

debian
Calendar Grey May 10, 2011
Scroller Debian
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ----------------------------------------------------
Several remote vulnerabilities have been discovered in python-zodb, a set of tools for using ZODB, that could lead to arbitrary code execution in the worst case

Summary

Several remote vulnerabilities have been discovered in python-zodb, a set of
tools for using ZODB, that could lead to arbitrary code execution in the worst
case. The Common Vulnerabilities and Exposures project identified the following
problems:

CVE-2009-0668

The ZEO server doesn't restrict the callables when unpickling data
received from a malicious client which can be used by an attacker to execute
arbitrary python code on the server by sending certain exception pickles. This
also allows an attacker to import any importable module as ZEO is importing the
module containing a callable specified in a pickle to test for a certain flag.

CVE-2009-0669

Due to a programming error an authorization method in the StorageServer
component of ZEO was not used as an internal method. This allows a malicious
client to bypass authentication when connecting to a ZEO server by simply
calling this authorization method.

The update also limits the number of new object ids a client can request
...

Read the Full Advisory

Severity
critical
Lowest
Low
Medium
High
Critical

Package: zodb
CVE ID: CVE-2009-0668 CVE-2009-0669

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.