[ubuntu/zesty-proposed] tryton-server 4.2.1-2 (Accepted)
Jeremy Bicha
jeremy at bicha.net
Tue Apr 4 23:40:07 UTC 2017
tryton-server (4.2.1-2) unstable; urgency=high
* Add 02_CVE-2017-0360_sanitize_file_open.patch (CVE-2017-0360).
Sanitize path in file_open against suffix.
The patch for CVE-2016-1242 did not cover all cases. Indeed there is a
case where an external file could be retrieved if it is stored in a folder
next to the root of trytond starting with the same name but with a suffix.
Example: '../trytond_suffix'.
Date: 2017-04-04 10:23:02.770492+00:00
Signed-By: Jeremy Bicha <jeremy at bicha.net>
https://launchpad.net/ubuntu/+source/tryton-server/4.2.1-2
-------------- next part --------------
Sorry, changesfile not available.
More information about the Zesty-changes
mailing list