** Please note that this issue is confidential and no information should be disclosed until it is made public, see "Whiteboard" for a date ** A vulnerability in the Zope Object Database (ZODB) database server (ZEO) allows a client to execute arbitrary Python code in the server process (CVE-2009-0668). ZEO includes a weak authentication protocol that allows authentication to be bypassed (CVE-2009-0669).
Radoslaw, Alfredo, please prepare an ebuild using the attached patch and attach the ebuild to this bug. We can do prestable testing here. Do not commit anything to CVS.
Created attachment 198895 [details, diff] zodb-3.3.1-CVE-2009-0668+0669.patch
Well, I don't have a reference for the CVE, I guess for that is confidential, but I guess it affects other version of zodb, as the code in ZEO seems is not changed between those versions (from a very very short reading). If that I guess even zope is affected as is using zodb from the zope omnicomprensive tar. However is, I'm going to do what you required very soon.
Created attachment 199327 [details] zodb-3.3.1.ebuild The required updated ebuild.
Arch Security Liaisons, please test the attached ebuild and report it stable on this bug. Target keywords: "amd64 x86"
Oh, I was not aware net-zope/zope ships a copy of this as well. Are you maintaining all the zope slots as well?
Well, yeah. If you can point the version affected I can see what I can do for those
2.8 and later is affected, Please attch ebuilds for the 2.9 and 2.10 slot to this bug, and we'll also test them.
Created attachment 199434 [details, diff] CVE-2009-0668+0669.patch Same as the attached patch. Different subtree. Used by zope ebuild
Created attachment 199435 [details, diff] zope-2.9.10.ebuild.patch
Created attachment 199436 [details, diff] zope-2.10.7.ebuild.patch
A question: is zodb-3.6.0 not affected?
It is affected, please patch/update as soon as this bug is public. But we will not perform prestable testing on those versions as they are not stable.
Created attachment 199451 [details] bug278824overlay.tar.gz This is messy, I'm sorry. I just noticed that zodb-3.6 also has a stable version for x86. Also, the ebuilds are named exactly as the ones in tree without -r1. I'm attaching the packed updates to the zope and zodb directories -- hopefully that makes it easier to test than yet another two files on the bug. Arch Security Liaisons, these are for you: =net-zope/zope-2.10.7-r1 =net-zope/zope-2.9.10-r1 Target keywords : "alpha amd64 ppc sparc x86" =net-zope/zodb-3.3.1-r1 Target keywords : "amd64 x86" =net-zope/zodb-3.6.0-r1 Target keywords : "x86" CC'ing current Liaisons: alpha : armin76, klausman amd64 : keytoaster, tester ppc : josejx, ranger sparc : fmccor x86 : fauli, maekke
I will be out on August. Do what you need to do (like commit the change) when the CVE become public
This is now public. If anyone has the time, please commit as Tupone is currently away.
*** Bug 280822 has been marked as a duplicate of this bug. ***
+*zope-2.10.7-r1 (17 Aug 2009) +*zope-2.9.10-r1 (17 Aug 2009) + + 17 Aug 2009; Alex Legler <a3li@gentoo.org> +zope-2.9.10-r1.ebuild, + +zope-2.10.7-r1.ebuild, +files/CVE-2009-0668+0669.patch: + Non-maintainer commit: Version bump for security bug 278824. + +*zodb-3.6.0-r1 (17 Aug 2009) +*zodb-3.3.1-r1 (17 Aug 2009) + + 17 Aug 2009; Alex Legler <a3li@gentoo.org> +zodb-3.3.1-r1.ebuild, + +files/zodb-3.3.1-CVE-2009-0668+0669.patch, +zodb-3.6.0-r1.ebuild, + +files/zodb-3.6.0-CVE-2009-0668+0669.patch: + Non-mainatiner commit: Version bump for security bug 278824. + Arches, please stable according to comment 14.
Sorry for the spam, forgot to select "remove selected CCs"
There's bug 257545 that indicates this won't even work with Python 2.5, so I doubt there is any point in wasting time with this without maintainer (there's none) adding a new version in tree (Like zodb 3.7.x or 3.8.x)
(In reply to comment #20) > There's bug 257545 that indicates this won't even work with Python 2.5, so I > doubt there is any point in wasting time with this without maintainer (there's > none) adding a new version in tree (Like zodb 3.7.x or 3.8.x) If treecleaners will mask and remove zodb, we'll limit arch calling to zope only.
ppc stable
x86 stable
Both stable on alpha.
sparc stable
amd64 stable, all arches done.
GLSA request filed.
No GLSA for webapps.