setup.py | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 avoid the call for python-magic to pypi.
 The Build-Dependency relatorio >=0.7 contains a code copy of
 python-magic[pypi].
 .
 This patch is subject to be removed, once python-magic from pypi (or an
 equivalent alternative) is available.
 Relevant discussions:
 https://lists.debian.org/debian-python/2017/09/msg00008.html
 https://lists.debian.org/debian-python/2017/09/msg00015.html
 https://lists.debian.org/debian-python/2017/10/msg00021.html

trytond/tests/test_ir.py | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 use a canonical timezone in tests.
 The timezone 'Canada/Eastern' used in tests has moved to
 package tzdata-legacy only available since trixie.
 For the sake of backports we use the according canonical
 timezone replacement.

bin/trytond | 1 1 + 0 - 0 !
trytond/protocols/jsonrpc.py | 4 3 + 1 - 0 !
trytond/wsgi.py | 10 6 + 4 - 0 !
3 files changed, 10 insertions(+), 5 deletions(-)

 include the traceback only in rpc responses in development mode.
 Supplying unexpected keys in a JSON-RPC create request (e.g., _debug)
 causes a KeyError in the server, and the full Python traceback is
 returned in the JSON-RPC error response. This leaks internal implementation
 details (file paths, function names, library layout,)
 which can assist an attacker in further exploitation/reconnaissance.

trytond/ir/routes.py | 7 4 + 3 - 0 !
1 file changed, 4 insertions(+), 3 deletions(-)

 enforce access check in html editor route
 Use .read and .write instead of .browse and .save when editing field via the
 HTML editor.

trytond/model/modelstorage.py | 23 23 + 0 - 0 !
1 file changed, 23 insertions(+)

 enforce access check in export_data 
 As the method is using instances to construct the exported data, the access
 must be checked explicitly.