Created on 2016-08-17.12:58:25 by ced, last changed 57 months ago by ced.
The releases have been published.
Here is review32491003 for the announce.
Please use CVE-2016-1241 for this issue.
Proposed timeline: 2016-08-30 for release 2016-08-31 for news
Will do ASAP, back at home later this evening.
Here is review32441002 which fix the problem and add test. I think we will need to publish a CVE, @yangoon could you manage one?
While reading , I was wondering if trytond was also affected. Indeed series <=3.0 are not affected but r c9be44cd05e1 removed the protection by mistake. The new password_hash field did not received the same hiding treatment as the password field. The exploitation is quite difficult because of the existing protections against such leak. The protections are the usage of strong hash (bcrypt and sha1) and the random salt.  https://github.com/odoo/odoo/issues/13175
|2016-08-31 12:27:52||ced||set||status: testing -> resolved|
messages: + msg28227
|2016-08-30 14:49:52||ced||set||messages: + msg28213|
|2016-08-25 19:55:28||ced||set||reviews: 32441002 -> 32441002,32491003|
messages: + msg27995
|2016-08-19 10:31:23||yangoon||set||messages: + msg27788|
|2016-08-18 11:54:01||yangoon||set||messages: + msg27783|
|2016-08-17 13:07:33||yangoon||set||messages: + msg27761|
|2016-08-17 13:01:09||ced||set||status: in-progress -> testing|
messages: + msg27757
keyword: + review
Showing 10 items. Show all history (warning: this could be VERY long)