Issue 7792

Title
Bus fails on ssl connection
Priority
bug
Status
resolved
Nosy list
bch, ced, nicoe, pokoli, sharkcz, yangoon
Assigned to
ced
Keywords
review

Created on 2018-10-18.00:06:35 by ced, last changed 24 months ago by ced.

Messages

Author: [hidden] (yangoon) Tryton translator
Date: 2018-11-23.14:20:07
> Cédric Krier <cedric.krier@b2ck.com> added the comment:
> 
> As we can not get CVE number on time, I propose to stop caring about CVE
> numbers. Our issue number is already a unique identifier for the issue.

My information from the security team:

Everyone can request one for public issues

https://cveform.mitre.org -> "Select a request type" -> "Request a CVE ID"

They're usually quick to reply, rarely more than a day.
Author: [hidden] (ced) Tryton committer Tryton translator
Date: 2018-11-23.13:54:41
As we can not get CVE number on time, I propose to stop caring about CVE numbers. Our issue number is already a unique identifier for the issue.
Author: [hidden] (yangoon) Tryton translator
Date: 2018-11-23.13:41:28
CVE-2018-19443 was assigned directly from MITRE by request from Debian for 

https://discuss.tryton.org/t/security-release-for-issue7792/830
https://bugs.tryton.org/issue7792

Please update the advisories accordingly.
Author: [hidden] (ced) Tryton committer Tryton translator
Date: 2018-10-31.08:41:27
Fixed with r 410709f6270b and r 873f265705e4
Author: [hidden] (ced) Tryton committer Tryton translator
Date: 2018-10-27.10:43:56
I wrote the news: https://discuss.tryton.org/t/security-release-for-issue7792/830
Author: [hidden] (ced) Tryton committer Tryton translator
Date: 2018-10-27.10:04:50
I requested to https://distributedweaknessfiling.org/, I got few exchange but I still have no number. I think we should not wait longer for that. (We can still add the number to the news later).
I propose to make the security release on Wednesday 31 October.
Author: [hidden] (ced) Tryton committer Tryton translator
Date: 2018-10-24.18:37:43
I sent a request for a number.
Author: [hidden] (ced) Tryton committer Tryton translator
Date: 2018-10-23.18:40:01
I propose to get a CVE number for this one.
Author: [hidden] (ced) Tryton committer Tryton translator
Date: 2018-10-18.09:20:51
done.
Author: [hidden] (pokoli) Tryton committer Tryton translator
Date: 2018-10-18.09:12:08
Could you include us as reviewers? I can not see the review as it's marked as private
Author: [hidden] (ced) Tryton committer Tryton translator
Date: 2018-10-18.00:08:57
Here is review54401002
Author: [hidden] (ced) Tryton committer Tryton translator
Date: 2018-10-18.00:06:34
The bus is started before a connection is set so the ssl property returns always false. So the Bus always try to connect without SSL.
For me, it is a security issue because the session is passed in clear on the network.
History
Date User Action Args
2018-11-23 14:49:36cedsetstatus: chatting -> resolved
2018-11-23 14:20:07yangoonsetstatus: resolved -> chatting
messages: + msg44990
2018-11-23 13:54:41cedsetstatus: chatting -> resolved
messages: + msg44989
2018-11-23 13:41:28yangoonsetstatus: resolved -> chatting
messages: + msg44988
2018-10-31 08:41:28cedsetstatus: testing -> resolved
messages: + msg44662
2018-10-27 10:43:57cedsetmessages: + msg44627
2018-10-27 10:04:50cedsetmessages: + msg44626
2018-10-24 18:37:43cedsetmessages: + msg44557
2018-10-23 18:40:01cedsetmessages: + msg44536
2018-10-18 09:20:51cedsetmessages: + msg44447

Showing 10 items. Show all history (warning: this could be VERY long)