| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| 01_avoid_call_to_pypi.patch | Avoid the call for python-magic to PyPi. The Build-Dependency relatorio >=0.7 contains a code copy of python-magic[pypi]. . This patch is subject to be removed, once python-magic from pypi (or an equivalent alternative) is available. Relevant discussions: https://lists.debian.org/debian-python/2017/09/msg00008.html https://lists.debian.org/debian-python/2017/09/msg00015.html https://lists.debian.org/debian-python/2017/10/msg00021.html |
Mathias Behrle <mathiasb@m9s.biz> | not-needed | debian | 2017-11-06 | |
| 02_enforce_record_rules.patch | Enforce record rules when only reading fields without an SQL type. This patch fixes the information disclosure leak when reading from function fields with record rules https://discuss.tryton.org/t/security-release-for-issue-12428/6397 |
Cédric Krier <cedric.krier@b2ck.com> | yes | upstream | ||
| 03_deny_compressed_content_from_unauth_request.patch | Deny compressed content from unauthenticated requests This patch fixes the vulnerabilty to zip bomb attacks via decoded gzip content from unauthenticated users. https://discuss.tryton.org/t/security-release-for-issue-13142/7196 |
Cédric Krier <cedric.krier@b2ck.com> | yes | upstream | ||
| 04_check_read_access_of_reports_records_13505.patch | Check read access of report records. This patch is part of the fix for https://discuss.tryton.org/t/security-release-for-issues-13505-and-13506/7846 Since 982a131026e7 the access rights are no more checked on instances. So anyone who has access to the report action, can execute the report to any records. |
Cédric Krier <cedric.krier@b2ck.com> | yes | upstream | ||
| 05_retrieve_groups_actions_wo_check_access_13506.patch | Check read access of report records. This patch is part of the fix for https://discuss.tryton.org/t/security-release-for-issues-13505-and-13506/7846 get_groups does not always returns the group of the action. When the method is called with access checked as there is a record rule on ir.action, the method returns an empty set of group ids. This is because no actions were found if the user does not share a group. This makes that check access of Report and Wizard never raise an error. |
Cédric Krier <cedric.krier@b2ck.com> | yes | upstream |