[FFe] Update zodb to 1:3.8.3-1 from Debian unstable (main)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
zodb (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
zodb is currently uninstallable in karmic as it has a dependency on python2.3 (bug #412880). The changes necessary for it could probably be backported to the version currently in karmic (based on the changelog entries) but the new version fixes three CVEs so it would be good to have it in.
As the zodb package in Debian unstable contains a bashism in debian/rules an Ubuntu delta is necessary, but it's already forwarded to Debian as bug 545150.
Making the package installable again is also needed to remove the zope3 dependency in gaphor (bug #144377) as one of the dependencies needs python-zodb (zope3 is scheduled for removal (a removal bug is already filed)).
Debian changelog:
zodb (1:3.8.3-1) unstable; urgency=low
* New upstream release.
-- Fabio Tranchitella <email address hidden> Wed, 02 Sep 2009 07:19:54 +0200
zodb (1:3.8.2-2) unstable; urgency=low
* Get rid of the python2.3 dependency patching the ZEO and ZODB scripts to
not hardcode python2.3. (Closes: #541972)
-- Fabio Tranchitella <email address hidden> Sat, 29 Aug 2009 16:03:01 +0200
zodb (1:3.8.2-1) unstable; urgency=high
* New upstream release, fixes security issues. (Closes: #540465)
* Standards-Version: 3.8.3, no changed required.
* A rebuild is enough to get rid of the python2.3 dependency.
(Closes: #541972)
-- Fabio Tranchitella <email address hidden> Fri, 28 Aug 2009 11:06:03 +0200
Upstream changelog:
Whats new in ZODB 3.8.3
=======
New Feature:
- There's a new utility script, strip_versions that strips version
data from storages. This is needed to prepare databases containing
version records for using ZODB 3.9, which no-longer supports
versions.
Bugs Fixed:
- CVE-2009-2701: Fixed a vulnerability in ZEO storage servers when
blobs are available. Someone with write access to a ZEO server
configured to support blobs could read any file on the system
readable by the server process and remove any file removable by the
server process.
- Fixed ``NameError`` in cases where a directory cannot be created,
e.g. when the necessary permissions are missing.
- Fixed a pack test that was not compatible with storages that always
return an object count of 0.
- Calling __setstate__ on a persistent object could under certain
uncommon cause the process to crash.
Whats new in ZODB 3.8.2
=======
Bugs Fixed:
- Fixed vulnerabilities in the ZEO network protocol that allow:
- CVE-2009-0668 Arbitrary Python code execution in ZODB ZEO storage servers
- CVE-2009-0669 Authentication bypass in ZODB ZEO storage servers
The vulnerabilities only apply if you are using ZEO to share a
database among multiple applications or application instances and if
untrusted clients are able to connect to your ZEO servers.
- Limit the number of object ids that can be allocated at once to
avoid running out of memory.
Diffstat for the debdiff:
NEWS.txt | 44 +++++++++++
PKG-INFO | 46 ++++++++++++
debian/changelog | 28 +++++++
debian/control | 5 -
debian/rules | 8 ++
setup.py | 4 -
src/ZEO/
src/ZEO/
src/ZEO/
src/ZEO/
src/ZEO/
src/ZEO/
src/ZEO/
src/ZODB/blob.py | 2
src/ZODB/
src/ZODB/
src/ZODB/
src/ZODB/
src/ZODB3.
src/ZODB3.
src/ZODB3.
src/persistent
src/persistent
23 files changed, 527 insertions(+), 100 deletions(-)
From #ubuntu-motu (2009-09-05):
14:50:44 ScottK | geser: +1 from me based on the changelog (feel free to put that in the bug when you write it).