Security Release for issue5795 and issue5808

Publié: 2016-08-31 10:00:00+00:00 release security

Synopsis

Two vulnerabilities in trytond have been found by Cédric Krier.

The CVE-2016-1241 allows an authenticated user to read the hashed password of other users. The exploitation is not easy thanks to the existing protection of Tryton against such leak. Those protections are usage of strong hash method (bcrypt or sha1) and the salt of the password with random data (protection against rainbow tables).

The CVE-2016-1242 allows an authenticated user with write access to report or icon definition to make the server opens any readable file. By default, only the administrator group has such right access.

Workaround

There is no workaround for CVE-2016-1241.

For CVE-2016-1242, the modification rights could be removed to all users for the report and icon records.

Resolution

All users should upgrade trytond to the latest version.

It is recommended that every user changes his password.

Affected versions per series: <=3.2.16, <=3.4.13, <=3.6.11, <=3.8.7 and <=4.0.3

Non affected versions per series: >=3.2.17, >=3.4.14, >= 3.6.12, >=3.8.8 and >=4.0.4

Concern?

Any security concerns should be reported on the bug-tracker at https://bugs.tryton.org/ with the type security.

Tryton Unconference Barcelona 2016

Publié: 2016-08-18 10:00:00+00:00 TUB2016

This year the annual Tryton Unconference will come back to Barcelona from the 17th to 21st of October at the Mobile world centre.

This will be the sixth edition. Users, developers and interested people will have the opportunity to discover or talk about Tryton.

This year the first day will be dedicated to business oriented talks. And the second day will remain more focused on developer talks.

Talk proposals and schedule are managed on Lanyrd.

A Sprint is planned to be organised the 19th, 20th and 21st. The place will be announced later.

Registration is available at TUB 2016.

If you want to request a talk on a specific topic, you can send your request to the Tryton mailing list. If you have question about the organisation, please contact the foundation at foundation@tryton.org.

And don't forget to spread the word! #TUB2016

Neso retirement

Publié: 2016-06-20 12:00:00+00:00 neso
It was decided to stop the development of Neso, our standalone client/server. So the last working version of neso will be 3.8.2. See issue5642 for more details.

Security Announce for issue5570

Publié: 2016-06-15 12:00:00+00:00 security

Synopsis

A missing access right has been found by Cédric Krier for the Model 'product.product-production.bom'. That allows a malicious authenticated user to write, create or delete records of this type (see issue5570).

Impact

Any authenticated user can modify the links between products and BoM's.

Resolution

All users should create manually a default model access which limits to read only and a second model access limited to the group "Production Administration" with full access.

Affected versions: all versions of production module prior to series 4.0 included.

Non affected version: all versions of production module after series 4.0 non-included.

References

Concern?

Any security concerns should be reported on the bug-tracker at https://bugs.tryton.org/ with the type security.

Translation Release for series 4.0

Publié: 2016-05-11 10:00:00+00:00 release

Due to an issue with Pootle, the initial release of series 4.0 is missing many translations. So we decided to make new set of releases with the correct translations even if it breaks rule of no database updates for bug fix releases.

If you have already updated your server to the series 4.0, you need to also update the database for this bug fix release. Sorry for the inconvenient.

New Tryton release 4.0

Publié: 2016-05-02 18:00:00+00:00 release

We are proud to announce the 4.0 release of Tryton.

This is the first release of Tryton that adds support for Python 3. The server and most of the modules support it. The missing modules are mainly the ones using the WebDAV and LDAP. The client will be ported once GTK-3 support is added. The release sees also a large refactoring of the protocol stack which was previously based on the SimpleHTTPServer of Python. Now it uses a WSGI application running on the Werkzeug server by default. Any WSGI server can be used to run Tryton, this removes the design constraint of single threaded process and opens the way for using workers. All modules have been reviewed to enforce the naming convention about the document identification. The name "code" is used for all referential documents like parties, product. The name "number" is used for the internal identification of all operational documents like sales, purchases, invoices etc. And finally, the name "reference" is used for identifications from external systems like the sale order number of the supplier of your purchase. Two new languages are now available on default installation the Lao and the Simplified Chinese.

As Richard Stallman reminded to us, the migration from previous series is fully supported.

Major changes for the user

  • The new note functionality handles the management system for general textual notes on any arbitrary model in Tryton. On click it opens a notes dialog, where the user can maintain notes. The read state of every note is managed per user. Like the attachments, the icon in the tool-bar visualizes when there are notes on a model.

    Tryton note Sao note
  • The CSV import and export has been highly reworked for a better experience. The import dialog now supports drag and drop to order the selected columns like the CSV export wizard. Both wizards are able to use any of the encodings available in Python. It is now possible to configure the CSV parameters for the export result.

    Export CSV
  • The charts provided by the graph view have been improved. Now they use softer colors, thinner lines and smaller arcs. On the background, dash style is used instead normal line for axis representation. A smart transparency value is applied for filling lines to always show through it.

  • A new button in the scheduler allows running a job once, useful to run jobs on demand or to test new settings.

Accounting

  • The report design of the General Ledger, Trial Balance and Aged Balance has been re-worked. They are now based on the new dynamic views. This provides a performance burst and allows to filter the records more precisely. In addition to the previous printable output, they also gain the CSV export which is useful to perform specific operations in a spreadsheet application.

    General Ledger
  • A date field is added to the Aged Balance, to modify the date on which the calculations are based. With this feature, it is possible to generate reports based on a past date as if it would have been generated by ignoring reconciliation that happened after that date.

  • The functionality of Third Party Balance is merged into the Aged Balance. We found that the Third Party Balance computed the same data as the Aged Balance with the type Customers and Suppliers.

Party

  • The Name field on party is no longer required for input. This solves a long standing request to be able to maintain parties where the name is not known on creation.

Product

  • A configuration form is added to the product module with these options:

    • The default value for Use Category fields.
    • The default value for the Cost Price Method.
  • It was not always easy to explain the design of products with the templates, especially when it was not really relevant for the current business. So we have redesigned both views to be very similar and indeed they use the exact same design. The fields, that do not exist on the product, are automatically replaced by the value of the template.

    Product Variant
  • The field Category is replaced by a Categories field, to support the ability of adding many categories to one product. This is very useful for example to create multi-axis categories for web shop.

Classification

This new module defines the reference basis to create different kinds of classifications for products. It adds a generic field Classification on the product form.

Classification Taxonomic

This new module introduces the taxonomic classification of products as an example using the new Classification module. It includes classifications by Taxon and by Cultivar.

Purchase

  • The field Delivery Time on product supplier is replaced by Lead Time which increases the precision from days to microseconds.
  • For each warehouse, it is now possible to define the location where the goods are picked in case of supplier return. If this location is not defined, the default storage will be used.

Request

The purchase request functionalities have been decoupled from stock_supply and sale_supply modules into a new separate module named purchase_request. This is to prepare future work that will use only purchase requests without the need of other stock_supply features.

  • A new state Exception is added to the purchase request. This is useful to manage cancelled purchase when linked to drop shipments.

Sale

  • The field Delivery Date on model Sale Line is renamed into Shipping Date to avoid any confusion.
  • The field Delivery Time on product form is replaced by Lead Time which increases the precision from days to microseconds.
  • The custom history management on Sale Opportunity is replaced by the general revision functionality of the client. This increases its precision and works automatically for any new fields.

Stock

  • The address of the destination warehouse of the Internal Shipment is now displayed on the report.
  • Now it is possible to manually do a move with the new Do button. This is useful for example to get correct accounting when you have long living productions.
  • Supplier return shipments now have a supplier and a delivery address fields. Those fields will be automatically populated for shipments created from purchase.

Production

Routing

This new module defines the routings, steps and operations for productions. A routing is a list of ordered steps and each step is defined by a generic operation.

Work

This new module completes the routing module by creating the Works of a production based on its routing. A Work is linked to a Work Center which defines the cost using one of these two methods: Per Cycle or Per Hour. The cost of a work is computed using the Cycles created on it and later added to the global cost of the production.

Major changes for the developer

  • The domains are now accepting a new parent_of operator which recursively returns all the records that are parents of the searched records. This is the opposite of the existing child_of operator.
  • It is now possible to inherit from a view that already inherits another view from a different model.
  • The new where domain operator is useful when you need to search on a xxx2Many with a full sub-domain instead of separated clauses. It has the advantage to avoid to fetch an intermediary result by using a sub-query.
  • The Transaction design has been reworked to be closer to the design defined by the PEP-0249. This new design allows to support nested transactions. It also supports multiple cursors for the same transaction, reducing the memory consumption when iterating over large result sets.
  • A new context model is introduced, to save the trouble of writing simple wizards for configuring reports by setting some values in the context. With this new design, the developer can define a model for which each field will define the values of the context. The form of this model will be displayed on top of the view and the view will be automatically reloaded when the context is changed.
  • Now its possible to have reports in plain, XML, HTML and XHTML reports. With this change the report infrastructure can be reused for example to design email templates.
  • This release adds support for the Two-Phase commit protocol which allows to coordinate distributed transactions. By default, Tryton uses a single transaction from the database back-end. But when Tryton has to communicate with other systems, it is good to use TPC to keep data integrity. The implementation follows the API of the Zope Data Manager. The data managers of the Zope community can be used within Tryton.
  • Thanks to the two-phase commit protocol now mails can be sent when the transaction is committed, so if something goes wrong and the transaction is rolled back no mails are sent.

Accounting

  • The reconciliation process now stores the date of the reconciliation. By default, it is the highest date of the reconciled lines. This allows to filter reconciled lines based on this date, for example to generate a report with the unreconciled lines before a specific date.

  • The Credit Notes have been merged into the Invoices. They are now standard invoices with negative quantities. This allows to easily group both types into a single document. The numbering can still be differentiated depending on the sign of the lines.

    Note: with the merge of Invoice and Credit Note, the signs of the taxes for Credit Note must be inverted manually.

Product

  • Uom.round is now an instance method which makes more sense according to its signature.

Purchase

  • The Purchase has received a done transition like the Sale to allow extensions to perform some action when this transition is performed.
  • It is now possible to search Purchase Requests using the Purchase field.

WebDAV

WebDAV has been decoupled from trytond into a separate module which improves the modularity of the system. Indeed many setups do not use the WebDAV so it was a little bit bloated to have it into the base. Also dependencies of this module prevented to add the support of Python 3 to trytond. So, for now, the WebDAV protocol is managed by a separated process but it will probably return in the future into the main process.

I Jornadas Tryton in Barcelona - Call for talks

Publié: 2016-03-24 00:51:07+00:00 jornadas

As already announced on the Spanish mailing list, several Spanish companies who provide services around Tryton are organizing the I Jornadas Tryton in Barcelona, which will be held on 23th and 24th May at an excellent location, the Mobile World Centre.

The plan is that the content of the conference will be split between user-oriented on Monday 23th and developer-oriented on Tuesday 24th.

Subscription is already open at Eventbrite.

Yet the event will not succeed without your participation, so it's time to collect your proposals to make a presentation for the event, which will be held in Spanish.

Topics may target users or developers and can include, among others:

Do not hesitate to send us your proposal. We're looking forward to learn about what you know and how Tryton is changing businesses around you.

Just send an e-mail to jornadas.tryton@gmail.com before 17th April with a short explanation of what your talk will be about.

Tryton Unconference 2016 - Call for locations

Publié: 2016-03-23 14:05:31+00:00 TUL

After last year's excellent Tryton Unconference in Buenos Aires, the Tryton Foundation already started to think about this year's unconference, which will be held just after 4.2 release due in autumn.

If you're interested as an individual or organization to host TUx 2016 (our sixth unconference already!) do not hesitate to send your application to foundation@tryton.org before 30th April.

Which city will follow Liège, Barcelona, Leipzig and Buenos Aires?

Videos of the Tryton Unconference 2015

Publié: 2016-01-01 09:00:00+00:00 TUBA video
The videos recorded during the last Tryton Unconference 2015 are available. The slides can also be downloaded.

Security Release for issue5167

Publié: 2015-12-17 07:00:00+00:00 release security

Synopsis

A vulnerability in trytond has been found by Cédric Krier, that allow a malicious authenticated user to write on fields for which he doesn't have access (see issue5167).

Impact

Any authenticated user can write on field for which he doesn't have access. Other access rights are correctly enforced.

Workaround

There is no workaround.

Resolution

All users should upgrade trytond to the latest version.

Affected versions per series: <=3.8.0, <=3.6.4, <=3.4.7 and <=3.2.9

Non affected version per series: >=3.8.1, >=3.6.5, >=3.4.8 and >=3.2.10

Concern?

Any security concerns should be reported on the bug-tracker at https://bugs.tryton.org/ with the type security.