Tryton Unconference Liège 2017 is coming!

Security Release for issue6361

Veröffentlicht: 2017-04-04 18:00:00+00:00 release security

Synopsis

A vulnerability in trytond has been found by Cédric Krier.

The CVE-2017-0360 allows an authenticated user with write access to report or icon definition to make the server open any readable file under any sibling folder of the trytond installation but only if starts with trytond (for example: ../trytond_suffix). This is a remaining case from CVE-2016-1242

Workaround

The sibling folder starting with trytond could be renamed.

Resolution

All users should upgrade trytond to the latest version.

Affected versions per series: <=3.4.16, <=3.6.14, <=3.8.10, <=4.0.7 and <=4.2.2

Non affected versions per series: >=3.4.17, >=3.6.15, >=3.8.11, >=4.0.8 and >=4.2.3

Concern?

Any security concerns should be reported on the bug-tracker at https://bugs.tryton.org/ with the type security.

Security Release for issue5795 and issue5808

Veröffentlicht: 2016-08-31 10:00:00+00:00 release security

Synopsis

Two vulnerabilities in trytond have been found by Cédric Krier.

The CVE-2016-1241 allows an authenticated user to read the hashed password of other users. The exploitation is not easy thanks to the existing protection of Tryton against such leak. Those protections are usage of strong hash method (bcrypt or sha1) and the salt of the password with random data (protection against rainbow tables).

The CVE-2016-1242 allows an authenticated user with write access to report or icon definition to make the server opens any readable file. By default, only the administrator group has such right access.

Workaround

There is no workaround for CVE-2016-1241.

For CVE-2016-1242, the modification rights could be removed to all users for the report and icon records.

Resolution

All users should upgrade trytond to the latest version.

It is recommended that every user changes his password.

Affected versions per series: <=3.2.16, <=3.4.13, <=3.6.11, <=3.8.7 and <=4.0.3

Non affected versions per series: >=3.2.17, >=3.4.14, >= 3.6.12, >=3.8.8 and >=4.0.4

Concern?

Any security concerns should be reported on the bug-tracker at https://bugs.tryton.org/ with the type security.

Security Announce for issue5570

Veröffentlicht: 2016-06-15 12:00:00+00:00 security

Synopsis

A missing access right has been found by Cédric Krier for the Model 'product.product-production.bom'. That allows a malicious authenticated user to write, create or delete records of this type (see issue5570).

Impact

Any authenticated user can modify the links between products and BoM's.

Resolution

All users should create manually a default model access which limits to read only and a second model access limited to the group "Production Administration" with full access.

Affected versions: all versions of production module prior to series 4.0 included.

Non affected version: all versions of production module after series 4.0 non-included.

References

Concern?

Any security concerns should be reported on the bug-tracker at https://bugs.tryton.org/ with the type security.

Security Release for issue5167

Veröffentlicht: 2015-12-17 07:00:00+00:00 release security

Synopsis

A vulnerability in trytond has been found by Cédric Krier, that allow a malicious authenticated user to write on fields for which he doesn't have access (see issue5167).

Impact

Any authenticated user can write on field for which he doesn't have access. Other access rights are correctly enforced.

Workaround

There is no workaround.

Resolution

All users should upgrade trytond to the latest version.

Affected versions per series: <=3.8.0, <=3.6.4, <=3.4.7 and <=3.2.9

Non affected version per series: >=3.8.1, >=3.6.5, >=3.4.8 and >=3.2.10

Concern?

Any security concerns should be reported on the bug-tracker at https://bugs.tryton.org/ with the type security.

Security Release for issue4155

Veröffentlicht: 2014-09-30 10:00:00+00:00 release security

Synopsis

A vulnerability in trytond has been found by duesenfranz, that might allow a malicious user to execute arbitrary commands on the server via the safe_eval function (see issue4155).

Impact

Any authenticated user can run arbitrary commands on the server with the permissions of the trytond user.

Workaround

There is no workaround.

Resolution

All users should upgrade trytond to the latest version of the used series.

Concern?

Any security concerns should be reported on the bug-tracker at https://bugs.tryton.org/ with the type security.

Security Release for issue3446

Veröffentlicht: 2013-11-04 10:00:00+00:00 release security

Synopsis

A vulnerability in tryton has been found, that might allow a malicious server to send a crafted extention as answer to a report request leading the client to write the report on any file of the client host with the right of the user running the client (see issue3446).

Impact

Any file can be created on the client host with the access permissions of the user running the client.

Workaround

Users should connect only to trusted servers.

Resolution

All users should upgrade to the latest version of the used series.

Concern?

Any security concerns should be reported on the bug-tracker at http://bugs.tryton.org/ with the type security.