Today [3-November-2014], Odoo announced that there is a security vulnerability with all versions of Odoo/OpenERP. How is the vulnerability accessed, how do I patch it and what versions are safe?
Details are available here: https://github.com/odoo/odoo/issues/3445
*** Please Note ***
If you are an odoo SaaS user/subscriber, your instance has already been patched.
The patch is to the ~/tools/safe_eval.py file and requires the deletion of two lines of code.
Arbitrary code execution using safe eval expressions
Affects: All Odoo/OpenERP versions (6.0, 6.1, 7.0, 8.0 and all versions of SaaS)
Component: Odoo Server
Access Vector: Network exploitable
Access Complexity: Medium
Authentication: Privileged user account required
CVSS Score: 6.7 (AV:N/AC:M/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C)
The following list contains the revisions after which the vulnerability was corrected:
Please try to give a substantial answer. If you wanted to comment on the question or answer, just use the commenting tool. Please remember that you can always revise your answers - no need to answer the same question twice. Also, please don't forget to vote - it really helps to select the best questions and answers!
About This Community
|Asked: 11/3/14, 8:20 AM|
|Seen: 1355 times|
|Last updated: 5/20/15, 4:04 AM|