Ubuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 : zope3 vulnerabilities (USN-848-1)

Ubuntu Security Notice (C) 2009-2016 Canonical, Inc. / NASL script (C) 2009-2016 Tenable Network Security, Inc.


Synopsis :

The remote Ubuntu host is missing one or more security-related
patches.

Description :

It was discovered that the Zope Object Database (ZODB) database server
(ZEO) improperly filtered certain commands when a database is shared
among multiple applications or application instances. A remote
attacker could send malicious commands to the server and execute
arbitrary code. (CVE-2009-0668)

It was discovered that the Zope Object Database (ZODB) database server
(ZEO) did not handle authentication properly when a database is shared
among multiple applications or application instances. A remote
attacker could use this flaw to bypass security restrictions.
(CVE-2009-0669)

It was discovered that Zope did not limit the number of new object ids
a client could request. A remote attacker could use this flaw to
consume a huge amount of resources, leading to a denial of service.
(No CVE identifier).

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

Solution :

Update the affected packages.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 5.5
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Family: Ubuntu Local Security Checks

Nessus Plugin ID: 42146 ()

Bugtraq ID: 35987

CVE ID: CVE-2009-0668
CVE-2009-0669