Issue 2476
- Title
- Missing access control on some relation model for Many2Many
- Priority
- critical
- Status
- resolved
- Nosy list
- bch, ced, daniel, nicoe, yangoon
- Assigned to
- ced
- Keywords
Created on 2012-03-03.13:50:43 by ced, last changed 126 months ago by ced.
Files
| File name | Uploaded | Type | Details |
|---|---|---|---|
| add_group.py | ced, 2012-03-28.11:52:43 | text/plain | view |
Messages
JFTR: Related links in Debian: http://lists.debian.org/debian-security-announce/2012/msg00072.html http://security-tracker.debian.org/tracker/CVE-2012-0215 and later: http://www.debian.org/security/2012/dsa-2444
Fixed with changeset 8e64d52ecea4
I have written a small script to test if vulnerability is fixed. It just add a group to the current user using XML-RPC calls.
> I don't understand why commit message should have this number in more of the link to this issue. A CVE number is cross identifier. Is is the purpose of this number to help identifying all procedures/messages/issues related to this subject.
On 24/03/12 13:03 +0100, Mathias Behrle wrote: > > Mathias Behrle <mathias.behrle@gmx.de> added the comment: > > >From our (the Debian) side we are prepared to do the uploads. > > I propose Mo, 26.03 as release date. Is this ok for you? No, I'm not available to do it before 28/03
I don't understand why commit message should have this number in more of the link to this issue.
From our (the Debian) side we are prepared to do the uploads. I propose Mo, 26.03 as release date. Is this ok for you?
CVE-2012-0215 was assigned by the Debian project to this issue. The according ticket is: The Tryton project discovered a vulnerability caused by missing checks of access permissions on certain models in the Tryton server. The fix consists of disabling 'create', 'write', 'delete' and 'copy' actions via rpc for those models. Please include the CVE number in all commit messages and news related to the subject.
FYI: Forwarded to team@security.debian.org (fixed version 1.6.1-2+squeeze1). Will be uploaded together with unstable immediately after the release. CVE requested.
> Would you like to get a CVE number? AFAIK the security team could assign one. Why not, I don't know exactly how it works.
Here are all the reviews: 2.2: review307001 2.0: review307002 1.8: review304002 1.6: review308001 1.4: review309001
Could you please push also the fix for version 1.6 to codereview. This is the version in Debian stable and only this fix will be accepted, not an update to current 1.6.x. With this fix I would like to coordinate with the security team to have approval for simultaneous uploads to stable and unstable. Would you like to get a CVE number? AFAIK the security team could assign one.
If everybody agree on the fix, I propose this way of working: - Push the fix in trunk and all supported series in one time - Make a release for every series (preferably the same day) - Publish a security news that explains the issue.
Add security roles to nosy list.
Please test the review303001
Relation models for Many2Many doesn't have ir.model.access record as they are just ModelSQL but not ModelView. So I think we must remove create, read, write and delete from _rpc.
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2012-03-29 19:06:11 | ced | set | status: chatting -> resolved |
| 2012-03-29 18:59:56 | yangoon | set | status: resolved -> chatting messages: + msg10475 |
| 2012-03-28 19:55:44 | ced | set | status: testing -> resolved messages: + msg10460 component: + trytond |
| 2012-03-28 11:52:43 | ced | set | files:
+ add_group.py messages: + msg10453 |
| 2012-03-24 13:36:32 | yangoon | set | messages: + msg10429 |
| 2012-03-24 13:08:03 | ced | set | messages: + msg10428 |
| 2012-03-24 13:05:40 | ced | set | messages: + msg10427 |
| 2012-03-24 13:03:58 | yangoon | set | messages: + msg10426 |
| 2012-03-23 13:43:13 | yangoon | set | messages: + msg10419 |
| 2012-03-21 13:40:13 | yangoon | set | messages: + msg10403 |
Showing 10 items. Show all history (warning: this could be VERY long)