Ubuntu Security Notice USN-848-1
14th October, 2009
zope3 vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 9.04
- Ubuntu 8.10
- Ubuntu 8.04 LTS
- Ubuntu 6.06 LTS
Software description
- zope3
Details
It was discovered that the Zope Object Database (ZODB) database server
(ZEO) improperly filtered certain commands when a database is shared among
multiple applications or application instances. A remote attacker could
send malicious commands to the server and execute arbitrary code.
(CVE-2009-0668)
It was discovered that the Zope Object Database (ZODB) database server
(ZEO) did not handle authentication properly when a database is shared
among multiple applications or application instances. A remote attacker
could use this flaw to bypass security restrictions. (CVE-2009-0669)
It was discovered that Zope did not limit the number of new object ids a
client could request. A remote attacker could use this flaw to consume a
huge amount of resources, leading to a denial of service. (No CVE
identifier)
Update instructions
The problem can be corrected by updating your system to the following package version:
- Ubuntu 9.04:
- zope3 3.4.0-0ubuntu3.3
- Ubuntu 8.10:
- zope3 3.3.1-7ubuntu0.2
- Ubuntu 8.04 LTS:
- zope3 3.3.1-5ubuntu2.2
- Ubuntu 6.06 LTS:
- zope3 3.2.1-1ubuntu1.2
To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.
In general, a standard system upgrade is sufficient to effect the
necessary changes.