Debian Patches
Status for tryton-server/6.0.29-2+deb12u4
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| 01_avoid_call_to_pypi.patch | Avoid the call for python-magic to PyPi. The Build-Dependency relatorio >=0.7 contains a code copy of python-magic[pypi]. . This patch is subject to be removed, once python-magic from pypi (or an equivalent alternative) is available. Relevant discussions: https://lists.debian.org/debian-python/2017/09/msg00008.html https://lists.debian.org/debian-python/2017/09/msg00015.html https://lists.debian.org/debian-python/2017/10/msg00021.html |
Mathias Behrle <mathiasb@m9s.biz> | not-needed | debian | 2017-11-06 | |
| 02_enforce_record_rules.patch | Enforce record rules when only reading fields without an SQL type. This patch fixes the information disclosure leak when reading from function fields with record rules https://discuss.tryton.org/t/security-release-for-issue-12428/6397 |
Cédric Krier <cedric.krier@b2ck.com> | yes | upstream | ||
| 03_deny_compressed_content_from_unauth_request.patch | Deny compressed content from unauthenticated requests This patch fixes the vulnerabilty to zip bomb attacks via decoded gzip content from unauthenticated users. https://discuss.tryton.org/t/security-release-for-issue-13142/7196 |
Cédric Krier <cedric.krier@b2ck.com> | yes | upstream | ||
| 04_check_read_access_of_reports_records_13505.patch | Check read access of report records. This patch is part of the fix for https://discuss.tryton.org/t/security-release-for-issues-13505-and-13506/7846 Since 982a131026e7 the access rights are no more checked on instances. So anyone who has access to the report action, can execute the report to any records. |
Cédric Krier <cedric.krier@b2ck.com> | yes | upstream | ||
| 05_retrieve_groups_actions_wo_check_access_13506.patch | Check read access of report records. This patch is part of the fix for https://discuss.tryton.org/t/security-release-for-issues-13505-and-13506/7846 get_groups does not always returns the group of the action. When the method is called with access checked as there is a record rule on ir.action, the method returns an empty set of group ids. This is because no actions were found if the user does not share a group. This makes that check access of Report and Wizard never raise an error. |
Cédric Krier <cedric.krier@b2ck.com> | yes | upstream | ||
| 06_traceback_in_RPC.patch | Include the traceback only in RPC responses in development mode. Supplying unexpected keys in a JSON-RPC create request (e.g., _debug) causes a KeyError in the server, and the full Python traceback is returned in the JSON-RPC error response. This leaks internal implementation details (file paths, function names, library layout,) which can assist an attacker in further exploitation/reconnaissance. |
Cédric Krier <cedric.krier@b2ck.com> | no | debian | 2025-11-25 | |
| 07_enforce_access_check_html_editor.patch | Enforce access check in HTML editor route Use .read and .write instead of .browse and .save when editing field via the HTML editor. |
Cédric Krier <cedric.krier@b2ck.com> | no | debian | 2025-11-25 | |
| 08_enforce_access_check_export_data.patch | Enforce access check in export_data As the method is using instances to construct the exported data, the access must be checked explicitly. |
Cédric Krier <cedric.krier@b2ck.com> | no | debian | 2025-11-25 |
All known versions for source package 'tryton-server'
- 7.0.40-1 (sid, forky)
- 7.0.30-1+deb13u1 (trixie-security)
- 7.0.30-1 (trixie)
- 6.0.29-2+deb12u4 (bookworm-security)
- 6.0.29-2+deb12u3 (bookworm)