Package: tryton-server | Debian Sources

Package: tryton-server / 6.0.29-2+deb12u3

Metadata

Package	Version	Patches format
tryton-server	6.0.29-2+deb12u3	3.0 (quilt)

Patch series

view the series file

Patch	File delta	Description
01_avoid_call_to_pypi.patch \| (download)	setup.py \| 2 1 + 1 - 0 ! 1 file changed, 1 insertion(+), 1 deletion(-)	avoid the call for python-magic to pypi. The Build-Dependency relatorio >=0.7 contains a code copy of python-magic[pypi]. . This patch is subject to be removed, once python-magic from pypi (or an equivalent alternative) is available. Relevant discussions: https://lists.debian.org/debian-python/2017/09/msg00008.html https://lists.debian.org/debian-python/2017/09/msg00015.html https://lists.debian.org/debian-python/2017/10/msg00021.html
02_enforce_record_rules.patch \| (download)	trytond/model/modelsql.py \| 2 1 + 1 - 0 ! trytond/tests/test_rule.py \| 27 27 + 0 - 0 ! 2 files changed, 28 insertions(+), 1 deletion(-)	enforce record rules when only reading fields without an sql type. This patch fixes the information disclosure leak when reading from function fields with record rules https://discuss.tryton.org/t/security-release-for-issue-12428/6397
03_deny_compressed_content_from_unauth_request.patch \| (download)	trytond/protocols/wrappers.py \| 7 5 + 2 - 0 ! 1 file changed, 5 insertions(+), 2 deletions(-)	deny compressed content from unauthenticated requests This patch fixes the vulnerabilty to zip bomb attacks via decoded gzip content from unauthenticated users. https://discuss.tryton.org/t/security-release-for-issue-13142/7196
04_check_read_access_of_reports_records_13505.patch \| (download)	trytond/report/report.py \| 8 8 + 0 - 0 ! 1 file changed, 8 insertions(+)	check read access of report records. This patch is part of the fix for https://discuss.tryton.org/t/security-release-for-issues-13505-and-13506/7846 Since 982a131026e7 the access rights are no more checked on instances. So anyone who has access to the report action, can execute the report to any records.
05_retrieve_groups_actions_wo_check_access_13506.patch \| (download)	trytond/res/ir.py \| 20 11 + 9 - 0 ! 1 file changed, 11 insertions(+), 9 deletions(-)	check read access of report records. This patch is part of the fix for https://discuss.tryton.org/t/security-release-for-issues-13505-and-13506/7846 get_groups does not always returns the group of the action. When the method is called with access checked as there is a record rule on ir.action, the method returns an empty set of group ids. This is because no actions were found if the user does not share a group. This makes that check access of Report and Wizard never raise an error.

1