Tryton - Issues

 

Message27756

Author ced
Recipients ajacoutot, bch, nicoe, pokoli, sharkcz, yangoon
Date 2016-08-17.12:58:24
Content
While reading [1], I was wondering if trytond was also affected.
Indeed series <=3.0 are not affected but rc9be44cd05e1 removed the protection by mistake. The new password_hash field did not received the same hiding treatment as the password field.
The exploitation is quite difficult because of the existing protections against such leak. The protections are the usage of strong hash (bcrypt and sha1) and the random salt.

[1] https://github.com/odoo/odoo/issues/13175
History
Date User Action Args
2016-08-17 12:58:25cedsetrecipients: + bch, yangoon, nicoe, sharkcz, pokoli, ajacoutot
2016-08-17 12:58:25cedsetmessageid: <1471431505.24.0.547730848917.issue5795@tryton.org>
2016-08-17 12:58:25cedlinkissue5795 messages
2016-08-17 12:58:24cedcreate

Showing 10 items. Show all history (warning: this could be VERY long)