Odoo Help

Welcome!

This community is for beginners and experts willing to share their Odoo knowledge. It's not a forum to discuss ideas, but a knowledge base of questions and their answers.

0

[Alert] How do I patch the 2014-01-safe-eval security bug?

By
Stephen Mack
on 11/3/14, 8:20 AM 1,356 views

Today [3-November-2014], Odoo announced that there is a security vulnerability with all versions of Odoo/OpenERP.  How is the vulnerability accessed, how do I patch it and what versions are safe?

1

Stephen Mack

--Stephen Mack--
5023
| 8 8 9
Santiago, Chile
--Stephen Mack--

Some people call me a karma whore, I only ask for 10 points if you like my answer and 15 if I happen to get it correct.

Stephen Mack
On 11/3/14, 8:22 AM

Details are available here: https://github.com/odoo/odoo/issues/3445


*** Please Note *** 
If you are an odoo SaaS user/subscriber, your instance has already been patched.

The patch is to the ~/tools/safe_eval.py file and requires the deletion of two lines of code.

 

Arbitrary code execution using safe eval expressions

Affects: All Odoo/OpenERP versions (6.0, 6.1, 7.0, 8.0 and all versions of SaaS)
Component: Odoo Server
Credit: "duesenfranz"

Access Vector: Network exploitable
Access Complexity: Medium
Authentication: Privileged user account required
CVSS Score: 6.7 (AV:N/AC:M/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C)

The following list contains the revisions after which the vulnerability was corrected:

I think odoo should have special page in official domain for this kind of announcement.

Ben Bernard
on 11/3/14, 9:02 AM

Agreed. They did post it on their community list: https://www.odoo.com/groups/community-59/community-9673986

Stephen Mack
on 11/3/14, 9:06 AM

So the only thing you need to edit to remove the problems are these lines? 'globals': locals, - 'locals': locals,

Yenthe
on 11/3/14, 9:38 AM

It was not made 100% clear in the github post but it seems so.

Stephen Mack
on 11/3/14, 10:20 AM

Your Answer

Please try to give a substantial answer. If you wanted to comment on the question or answer, just use the commenting tool. Please remember that you can always revise your answers - no need to answer the same question twice. Also, please don't forget to vote - it really helps to select the best questions and answers!

About This Community

This community is for professionals and enthusiasts of our products and services. Read Guidelines

Question tools

1 follower(s)

Stats

Asked: 11/3/14, 8:20 AM
Seen: 1356 times
Last updated: 5/20/15, 4:04 AM