Today [3-November-2014], Odoo announced that there is a security vulnerability with all versions of Odoo/OpenERP. How is the vulnerability accessed, how do I patch it and what versions are safe?
Odoo is the world's easiest all-in-one management software.
It includes hundreds of business apps:
- CRM
- e-Commerce
- Buchhaltung
- Lager
- PoS
- Project
- MRP
Diese Frage wurde gekennzeichnet
1
Antworten
4618
Ansichten
Details are available here: https://github.com/odoo/odoo/issues/3445
*** Please Note ***
If you are an odoo SaaS user/subscriber, your instance has already been patched.
The patch is to the ~/tools/safe_eval.py file and requires the deletion of two lines of code.
Arbitrary code execution using safe eval expressions
Affects: All Odoo/OpenERP versions (6.0, 6.1, 7.0, 8.0 and all versions of SaaS)
Component: Odoo Server
Credit: "duesenfranz"
Access Vector: Network exploitable
Access Complexity: Medium
Authentication: Privileged user account required
CVSS Score: 6.7 (AV:N/AC:M/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C)
The following list contains the revisions after which the vulnerability was corrected:
I think odoo should have special page in official domain for this kind of announcement.
Agreed. They did post it on their community list: https://www.odoo.com/groups/community-59/community-9673986
So the only thing you need to edit to remove the problems are these lines? 'globals': locals, - 'locals': locals,
It was not made 100% clear in the github post but it seems so.
Diskutieren Sie gerne? Treten Sie bei, statt nur zu lesen!
Erstellen Sie heute ein Konto, um exklusive Funktionen zu nutzen und mit unserer tollen Community zu interagieren!
Registrieren