[Bug 424820] [NEW] [FFe] Update zodb to 1:3.8.3-1 from Debian unstable (main)

Michael Bienia michael at bienia.de
Sat Sep 5 13:17:46 UTC 2009 

Public bug reported:

zodb is currently uninstallable in karmic as it has a dependency on
python2.3 (bug #412880). The changes necessary for it could probably be
backported to the version currently in karmic (based on the changelog
entries) but the new version fixes three CVEs so it would be good to
have it in.

As the zodb package in Debian unstable contains a bashism in
debian/rules an Ubuntu delta is necessary, but it's already forwarded to
Debian as bug 545150.

Making the package installable again is also needed to remove the zope3
dependency in gaphor (bug #144377) as one of the dependencies needs
python-zodb (zope3 is scheduled for removal (a removal bug is already
filed)).

Debian changelog:

zodb (1:3.8.3-1) unstable; urgency=low

  * New upstream release.

 -- Fabio Tranchitella <kobold at debian.org>  Wed, 02 Sep 2009 07:19:54
+0200

zodb (1:3.8.2-2) unstable; urgency=low

  * Get rid of the python2.3 dependency patching the ZEO and ZODB scripts to
    not hardcode python2.3. (Closes: #541972)

 -- Fabio Tranchitella <kobold at debian.org>  Sat, 29 Aug 2009 16:03:01
+0200

zodb (1:3.8.2-1) unstable; urgency=high

  * New upstream release, fixes security issues. (Closes: #540465)
  * Standards-Version: 3.8.3, no changed required.
  * A rebuild is enough to get rid of the python2.3 dependency.
    (Closes: #541972)

 -- Fabio Tranchitella <kobold at debian.org>  Fri, 28 Aug 2009 11:06:03
+0200

Upstream changelog:

Whats new in ZODB 3.8.3
=======================

New Feature:

- There's a new utility script, strip_versions that strips version
  data from storages. This is needed to prepare databases containing
  version records for using ZODB 3.9, which no-longer supports
  versions.

Bugs Fixed:

- CVE-2009-2701: Fixed a vulnerability in ZEO storage servers when
  blobs are available. Someone with write access to a ZEO server
  configured to support blobs could read any file on the system
  readable by the server process and remove any file removable by the
  server process.

- Fixed ``NameError`` in cases where a directory cannot be created,
  e.g. when the necessary permissions are missing.

- Fixed a pack test that was not compatible with storages that always
  return an object count of 0.

- Calling __setstate__ on a persistent object could under certain
  uncommon cause the process to crash.


Whats new in ZODB 3.8.2
=======================

Bugs Fixed:

- Fixed vulnerabilities in the ZEO network protocol that allow:

  - CVE-2009-0668 Arbitrary Python code execution in ZODB ZEO storage servers
  - CVE-2009-0669 Authentication bypass in ZODB ZEO storage servers

  The vulnerabilities only apply if you are using ZEO to share a
  database among multiple applications or application instances and if
  untrusted clients are able to connect to your ZEO servers.

- Limit the number of object ids that can be allocated at once to
  avoid running out of memory.

Diffstat for the debdiff:

 NEWS.txt                                |   44 +++++++++++
 PKG-INFO                                |   46 ++++++++++++
 debian/changelog                        |   28 +++++++
 debian/control                          |    5 -
 debian/rules                            |    8 ++
 setup.py                                |    4 -
 src/ZEO/StorageServer.py                |   15 +++-
 src/ZEO/auth/auth_digest.py             |    2 
 src/ZEO/scripts/zeoserverlog.py         |   10 +-
 src/ZEO/tests/auth_plaintext.py         |    2 
 src/ZEO/tests/testZEO.py                |   59 +--------------
 src/ZEO/zrpc/connection.py              |    3 
 src/ZEO/zrpc/marshal.py                 |   32 ++++++++
 src/ZODB/blob.py                        |    2 
 src/ZODB/scripts/strip_versions.py      |  110 +++++++++++++++++++++++++++++
 src/ZODB/scripts/strip_versions.test    |  119 ++++++++++++++++++++++++++++++++
 src/ZODB/scripts/tests.py               |    7 +
 src/ZODB/tests/PackableStorage.py       |    3 
 src/ZODB3.egg-info/PKG-INFO             |   46 ++++++++++++
 src/ZODB3.egg-info/SOURCES.txt          |    2 
 src/ZODB3.egg-info/entry_points.txt     |    1 
 src/persistent/cPersistence.c           |   54 +++++++-------
 src/persistent/tests/test_persistent.py |   25 +++++-
 23 files changed, 527 insertions(+), 100 deletions(-)

** Affects: zodb (Ubuntu)
     Importance: Undecided
         Status: Confirmed

-- 
[FFe] Update zodb to 1:3.8.3-1 from Debian unstable (main)
https://bugs.launchpad.net/bugs/424820
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs at lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

More information about the universe-bugs mailing list