Today [3-November-2014], Odoo announced that there is a security vulnerability with all versions of Odoo/OpenERP. How is the vulnerability accessed, how do I patch it and what versions are safe?
Odoo is the world's easiest all-in-one management software.
It includes hundreds of business apps:
- CRM
- e-Commerce
- Accounting
- Inventory
- PoS
- Project management
- MRP
This question has been flagged
1
Reply
3978
Views
Details are available here: https://github.com/odoo/odoo/issues/3445
*** Please Note ***
If you are an odoo SaaS user/subscriber, your instance has already been patched.
The patch is to the ~/tools/safe_eval.py file and requires the deletion of two lines of code.
Arbitrary code execution using safe eval expressions
Affects: All Odoo/OpenERP versions (6.0, 6.1, 7.0, 8.0 and all versions of SaaS)
Component: Odoo Server
Credit: "duesenfranz"
Access Vector: Network exploitable
Access Complexity: Medium
Authentication: Privileged user account required
CVSS Score: 6.7 (AV:N/AC:M/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C)
The following list contains the revisions after which the vulnerability was corrected:
I think odoo should have special page in official domain for this kind of announcement.
Agreed. They did post it on their community list: https://www.odoo.com/groups/community-59/community-9673986
So the only thing you need to edit to remove the problems are these lines? 'globals': locals, - 'locals': locals,
It was not made 100% clear in the github post but it seems so.
