Security Release for issue6361


Veröffentlicht: 2017-04-04 18:00:00+00:00   |   Прочесть по-русски   |   Lire en français   |   Read in English   |   Llegeix-ho en català   |   Beri v slovenščini   |   Leer en español   |  Weitere Einträge über release security

Synopsis

A vulnerability in trytond has been found by Cédric Krier.

The CVE-2017-0360 allows an authenticated user with write access to report or icon definition to make the server open any readable file under any sibling folder of the trytond installation but only if starts with trytond (for example: ../trytond_suffix). This is a remaining case from CVE-2016-1242

Workaround

The sibling folder starting with trytond could be renamed.

Resolution

All users should upgrade trytond to the latest version.

Affected versions per series: <=3.4.16, <=3.6.14, <=3.8.10, <=4.0.7 and <=4.2.2

Non affected versions per series: >=3.4.17, >=3.6.15, >=3.8.11, >=4.0.8 and >=4.2.3

Concern?

Any security concerns should be reported on the bug-tracker at https://bugs.tryton.org/ with the type security.