A weakness was found in the Zope Enterprise Objects (ZEO) authentication protocol. A remote attacker could use this flaw to bypass the authentication to the Zope Object Database (ZODB).
Public now via: http://mail.zope.org/pipermail/zope-announce/2009-August/002220.html A new release of ZODB is available here: http://pypi.python.org/pypi/ZODB3/3.8.2 (There is also a new development release at http://pypi.python.org/pypi/ZODB3/3.9.0b5.) New Zope releases that include the fixes can be found here: http://www.zope.org/Products/Zope/2.10.9 http://www.zope.org/Products/Zope/2.11.4 http://www.zope.org/Products/Zope/2.8.11 http://www.zope.org/Products/Zope/2.9.11 http://www.zope.org/Products/Zope3/3.1.1 http://www.zope.org/Products/Zope3/3.2.4 http://www.zope.org/Products/Zope3/3.3.3 http://www.zope.org/Products/Zope3/3.4.1 Upstream patch can be found in: https://bugzilla.redhat.com/show_bug.cgi?id=513422#c1
conga (Remote Management System used by Red Hat Cluster Suite) uses zope, but does not ship ZEO/ZODB component and hence is not affected by this problem. zope is currently only part of EPEL5 (2.10.7).
http://koji.fedoraproject.org/koji/taskinfo?taskID=1588264
zope-2.10.9-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.