Tryton - Issues

 

Issue7792

Title Bus fails on ssl connection
Priority bug Status resolved
Superseder Nosy List bch, ced, nicoe, pokoli, sharkcz, yangoon
Type security Components tryton
Assigned To ced Keywords review
Reviews 54401002
View: 54401002

Created on 2018-10-18.00:06:35 by ced, last changed by ced.

Messages
msg44990 (view) Author: [hidden] (yangoon) Date: 2018-11-23.14:20:07
> C├ędric Krier <cedric.krier@b2ck.com> added the comment:
> 
> As we can not get CVE number on time, I propose to stop caring about CVE
> numbers. Our issue number is already a unique identifier for the issue.

My information from the security team:

Everyone can request one for public issues

https://cveform.mitre.org -> "Select a request type" -> "Request a CVE ID"

They're usually quick to reply, rarely more than a day.
msg44989 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2018-11-23.13:54:41
As we can not get CVE number on time, I propose to stop caring about CVE numbers. Our issue number is already a unique identifier for the issue.
msg44988 (view) Author: [hidden] (yangoon) Date: 2018-11-23.13:41:28
CVE-2018-19443 was assigned directly from MITRE by request from Debian for 

https://discuss.tryton.org/t/security-release-for-issue7792/830
https://bugs.tryton.org/issue7792

Please update the advisories accordingly.
msg44662 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2018-10-31.08:41:27
Fixed with r 410709f6270b and r 873f265705e4
msg44627 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2018-10-27.10:43:56
I wrote the news: https://discuss.tryton.org/t/security-release-for-issue7792/830
msg44626 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2018-10-27.10:04:50
I requested to https://distributedweaknessfiling.org/, I got few exchange but I still have no number. I think we should not wait longer for that. (We can still add the number to the news later).
I propose to make the security release on Wednesday 31 October.
msg44557 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2018-10-24.18:37:43
I sent a request for a number.
msg44536 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2018-10-23.18:40:01
I propose to get a CVE number for this one.
msg44447 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2018-10-18.09:20:51
done.
msg44446 (view) Author: [hidden] (pokoli) (Tryton committer) (Tryton translator) Date: 2018-10-18.09:12:08
Could you include us as reviewers? I can not see the review as it's marked as private
msg44445 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2018-10-18.00:08:57
Here is review54401002
msg44444 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2018-10-18.00:06:34
The bus is started before a connection is set so the ssl property returns always false. So the Bus always try to connect without SSL.
For me, it is a security issue because the session is passed in clear on the network.
History
Date User Action Args
2018-11-23 14:49:36cedsetstatus: chatting -> resolved
2018-11-23 14:20:07yangoonsetstatus: resolved -> chatting
messages: + msg44990
2018-11-23 13:54:41cedsetstatus: chatting -> resolved
messages: + msg44989
2018-11-23 13:41:28yangoonsetstatus: resolved -> chatting
messages: + msg44988
2018-10-31 08:41:28cedsetstatus: testing -> resolved
messages: + msg44662
2018-10-27 10:43:57cedsetmessages: + msg44627
2018-10-27 10:04:50cedsetmessages: + msg44626
2018-10-24 18:37:43cedsetmessages: + msg44557
2018-10-23 18:40:01cedsetmessages: + msg44536
2018-10-18 09:20:51cedsetmessages: + msg44447

Showing 10 items. Show all history (warning: this could be VERY long)