Today [3-November-2014], Odoo announced that there is a security vulnerability with all versions of Odoo/OpenERP. How is the vulnerability accessed, how do I patch it and what versions are safe?
Odoo is the world's easiest all-in-one management software.
It includes hundreds of business apps:
- CRM
- e-Commerce
- Accounting
- Inventory
- PoS
- Project management
- MRP
This question has been flagged
1
Reply
4089
Views
Details are available here: https://github.com/odoo/odoo/issues/3445
*** Please Note ***
If you are an odoo SaaS user/subscriber, your instance has already been patched.
The patch is to the ~/tools/safe_eval.py file and requires the deletion of two lines of code.
Arbitrary code execution using safe eval expressions
Affects: All Odoo/OpenERP versions (6.0, 6.1, 7.0, 8.0 and all versions of SaaS)
Component: Odoo Server
Credit: "duesenfranz"
Access Vector: Network exploitable
Access Complexity: Medium
Authentication: Privileged user account required
CVSS Score: 6.7 (AV:N/AC:M/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C)
The following list contains the revisions after which the vulnerability was corrected:
I think odoo should have special page in official domain for this kind of announcement.
Agreed. They did post it on their community list: https://www.odoo.com/groups/community-59/community-9673986
So the only thing you need to edit to remove the problems are these lines? 'globals': locals, - 'locals': locals,
It was not made 100% clear in the github post but it seems so.
Enjoying the discussion? Don't just read, join in!
Create an account today to enjoy exclusive features and engage with our awesome community!
Sign up