Community mailing list archives
Re: Security - Odoo enterprise - DB accessby
This is standard approach in the software industry to allow the users/integrators to roll out the patch all over organizations
The question was not related to the security patch itself but to the fact that between it gets announced to the public and it gets provided to Enterprise Users lay several weeks. This means anybody who has an Enterprise Version or access to it, even Hackers could use that security breach to hack in any other Odoo site where the site owner/maintainer did not get informed for weeks.IMHO it would the right way to provide the patch at the same time to all users which are using a piece of software. If an Odoo site gets hacked and it gets public and perhaps this happened because the security issue and the patch was simply no known is a damage for all Odoo Sites and not only for the one which got hacked.On Tue, Apr 19, 2016 at 8:52 AM, Oliver Yuan <firstname.lastname@example.org> wrote:
I think Odoo Official treats the security in a right way. 1st of all the patch is provided to the enterprise users and the security breach details will be published later. To publish a security breach without a remedy would encourage the hackers to use the bug in the system and harm the true users.
Oliver------------------ Original ------------------From: "Andreas Becker"<email@example.com>;Date: Tue, Apr 19, 2016 09:11 AMTo: "Community"<firstname.lastname@example.org>;Subject: Re: Security - Odoo enterprise - DB accessOn Sat, Apr 16, 2016 at 11:10 PM, Fabien Pinckaers <email@example.com> wrote:we send them an email, along with a patch a few weeks before we disclosed the security breach publicly.
Hi FabienWhy do you keep security issues for weeks hidden from the public? I think it is not a good way to increase public trust in customers when you leave Odoo websites open for serious security issues even you have already a patch available.To increase TRUST in Odoo it would be much much better to provide the patch asap for everyone and of course publish the security issue immediately after it has been discovered, so that ALL users are warned, especially also those who are using not the Enterprise version.Even much better would be to publish and report security issues of Odoo also to secunia who is providing a great database with security advisories for everyone for free.Security especially of an ERP system which holds hundreds, thousands perhaps even millions of customers data and their customers data should be FIRST priority and treated as this. If Odoo and its community and Team which provides the software is such a great and fast working and patching team than they really can present their fast way of patching things also publicly. Right now it looks more like the typical Microsoft way, which means that security issues get not announced publicly for weeks, months perhaps even years until a patch is available and as you wrote even than the public gets excluded for weeks from that patch which is horrible in terms of security for an enterprise and Open Source ERP System like Odoo / OpenERP is.A last question: How many issues have not been announced until now as your team wasn't able to provide a patch until now? Is Odoo Safe or Vulnerable?Please disclose ALL security issuses of Odoo asap so that all in the community could help to get things patched and secure again. ThanksAndi
Eric Caudal (from my mobile)