CVE-2010-3495

Debian Bug report logs - #599711
CVE-2010-3495

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2010-3495

Date: Sun, 10 Oct 2010 13:22:06 +0200

Package: zodb
Severity: grave
Tags: security

This has been assigned CVE-2010-3495:
https://bugs.launchpad.net/zodb/+bug/135108

Cheers,
        Moritz

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Message #10 received at 599711@bugs.debian.org (full text, mbox, reply):

From: Ben Hutchings <ben@decadent.org.uk>

To: Moritz Muehlenhoff <jmm@debian.org>, 599711@bugs.debian.org

Subject: Re: CVE-2010-3495

Date: Sat, 30 Oct 2010 15:39:53 +0200

[Message part 1 (text/plain, inline)]

Although there is a more general issue surrounding asyncore.accept, the
bug in zodb was reported to affect OS X and I do not see any report that
it affects Linux or FreeBSD as well.  In that case, this is not a
significant bug for Debian.

Ben.

-- 
Ben Hutchings
Once a job is fouled up, anything done to improve it makes it worse.

[signature.asc (application/pgp-signature, inline)]

Message #15 received at 599711@bugs.debian.org (full text, mbox, reply):

From: Ben Hutchings <ben@decadent.org.uk>

To: 599711@bugs.debian.org

Subject: Re: CVE-2010-3495

Date: Sat, 30 Oct 2010 15:54:43 +0200

[Message part 1 (text/plain, inline)]

This should fix the bug, if necessary.

Ben.

--- zodb-3.9.4/debian/changelog
+++ zodb-3.9.4/debian/changelog
@@ -1,3 +1,11 @@
+zodb (1:3.9.4-1.1) unstable; urgency=low
+
+  * Non-maintainer upload.
+  * Fix some cases where a new or aborted connection would cause the server
+    to crash (CVE-2010-3495) (Closes: #599711)
+
+ -- Ben Hutchings <ben@decadent.org.uk>  Sat, 30 Oct 2010 15:36:31 +0200
+
 zodb (1:3.9.4-1) unstable; urgency=low
 
   [ Brian Sutherland ]
--- zodb-3.9.4.orig/src/ZEO/StorageServer.py
+++ zodb-3.9.4/src/ZEO/StorageServer.py
@@ -133,6 +133,8 @@
         addr = conn.addr
         if isinstance(addr, type("")):
             label = addr
+        elif addr is None:
+            label = ''
         else:
             host, port = addr
             label = str(host) + ":" + str(port)
--- END ---

-- 
Ben Hutchings
Once a job is fouled up, anything done to improve it makes it worse.

[signature.asc (application/pgp-signature, inline)]

Message #24 received at 599711-close@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>

To: 599711-close@bugs.debian.org

Subject: Bug#599711: fixed in zodb 1:3.9.4-1.1

Date: Thu, 04 Nov 2010 18:18:32 +0000

Source: zodb
Source-Version: 1:3.9.4-1.1

We believe that the bug you reported is fixed in the latest version of
zodb, which is due to be installed in the Debian FTP archive:

python-zodb_3.9.4-1.1_i386.deb
  to main/z/zodb/python-zodb_3.9.4-1.1_i386.deb
zodb_3.9.4-1.1.diff.gz
  to main/z/zodb/zodb_3.9.4-1.1.diff.gz
zodb_3.9.4-1.1.dsc
  to main/z/zodb/zodb_3.9.4-1.1.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 599711@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Moritz Muehlenhoff <jmm@debian.org> (supplier of updated zodb package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 04 Nov 2010 18:50:19 +0100
Source: zodb
Binary: python-zodb
Architecture: source i386
Version: 1:3.9.4-1.1
Distribution: unstable
Urgency: low
Maintainer: Debian/Ubuntu Zope Team <pkg-zope-developers@lists.alioth.debian.org>
Changed-By: Moritz Muehlenhoff <jmm@debian.org>
Description: 
 python-zodb - Set of tools for using the Zope Object Database (ZODB)
Closes: 599711
Changes: 
 zodb (1:3.9.4-1.1) unstable; urgency=low
 .
   * Non-maintainer upload by the Security Team.
   * Fix CVE-2010-3495 (Closes: #599711)
Checksums-Sha1: 
 8acb425ac19f284d611a14b155cc461fd7d341d5 1259 zodb_3.9.4-1.1.dsc
 5c3baceba7c02a60d7c36f04e16f7ef112906ce7 4583 zodb_3.9.4-1.1.diff.gz
 01a68c2db69d965b6a849ed848e18f26959e069a 1231832 python-zodb_3.9.4-1.1_i386.deb
Checksums-Sha256: 
 0c40dd57a361619742a13fb3a0c72e30ff855abd5aa2e11d5103e364f8766f6c 1259 zodb_3.9.4-1.1.dsc
 9210f220e08fd328f34bbedab8a0def250b672342028f41aef86df620db8154e 4583 zodb_3.9.4-1.1.diff.gz
 33eb9cb2fa178f6ada94fc793e6b7de0f61c2e45381383ef9d8afd8860caa115 1231832 python-zodb_3.9.4-1.1_i386.deb
Files: 
 14b4f9e3e55b691bbc6b3f9fe0a03e7b 1259 zope extra zodb_3.9.4-1.1.dsc
 b37d39a13c77a3e076cae2455cae8a9c 4583 zope extra zodb_3.9.4-1.1.diff.gz
 2e38ff3174ef2ff5712cc277a014fcac 1231832 zope extra python-zodb_3.9.4-1.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkzS8tAACgkQXm3vHE4uyloZ9wCfcfNntWilrPleIzjC2SwlT6F/
k5oAn1HPBiVbk1qZYuJUS9WLdxLoQEvw
=XTsL
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.