Red Hat Bugzilla – Bug 522392
CVE-2009-2701 Zope: Information disclosure (files read, removal) when ZEO server configured with blobs support
Last modified: 2009-10-05 03:24:20 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-2701 to the following vulnerability: Unspecified vulnerability in the Zope Enterprise Objects (ZEO) storage-server functionality in Zope Object Database (ZODB) 3.8 before 3.8.3 and 3.9.x before 3.9.0c2, when certain ZEO database sharing and blob support are enabled, allows remote authenticated users to read or delete arbitrary files via unknown vectors. References: ----------- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2701 https://mail.zope.org/pipermail/zope-announce/2009-September/002221.html http://pypi.python.org/pypi/ZODB3/3.8.3 http://pypi.python.org/pypi/ZODB3/3.9.0c2 http://www.vupen.com/english/advisories/2009/2534
From: https://mail.zope.org/pipermail/zope-announce/2009-September/002221.html Jim Fulton mentions: "The vulnerability was introduced in ZODB 3.8." While the latest version of Zope, available in EPEL-5 project (zope-2.10.9-1.el5 - http://koji.fedoraproject.org/koji/buildinfo?buildID=12612), seem to use ZODB-3.0 - from BUILD/Zope-2.10.9-final/doc/ZODB.txt: "The Zope Object Database, ZODB, version 3.0", which would indicate this is not an issue for EPEL-5 Zope, e.g.: Zope-2.10.9-final/lib/python/ZODB/__init__.py says: __version__ = "3.7.1" which is still older than 3.8, but introduces enough doubtfulnis about the real version of ZODB, we are using here. Jonathan, could you have a look at the report details, and provide final decision if current EPEL-5's Zope version is affected by this issue? (Better to double-check and be sane, than omit something and be sorry). Thanks, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
After reviewing the information I could find, it does look the ZODB version we are shipping is not vulnerable.
Closing based on comment #2. Thank you for checking!