A missing access control check was found in the way Zope Enterprise Objects (ZEO) used to manage remote connections to the Zope server. A remote attacker
could use this flaw to execute arbitrary Python code in the context of
Created attachment 354876 [details]
ZEO patch by Jim Fulton (for both CVE-2009-0668 and CVE-2009-0669)
Public now via:
A new release of ZODB is available here:
(There is also a new development release at
New Zope releases that include the fixes can be found here:
conga (Remote Management System used by Red Hat Cluster Suite) uses zope, but does not ship ZEO/ZODB component and hence is not affected by this problem.
zope is currently only part of EPEL5 (2.10.7).
zope-2.10.9-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.