Community mailing list archives

community@mail.odoo.com

Re: Security - Odoo enterprise - DB access

by
Andi Becker
- 04/20/2016 22:00:51
well we work with several Open Source Products since over 20 years and with all software we provided to our customer until now patches have been released and announced at the same time for everybody and not only for enterprise customers.

This approach described by Fabien would be a great invitation for Hackers to get access to an Enterprise list of announcements and than being able to Hack Community and those who won't get those announcements versions. Happy Hacking I would say - this is simply a crazy approach! Sorry!

Customers have a great interest that their sites are secure. Therefore asap as patches are available they should be available for everyone and not only for some special ones.

People should be able to subscribe to a security announcement list and than they can decide themselves if they like to have a secure or a valnurable site.

IMHO it is very important and as long as we worked with Enterprise Open Source products this was always like this - announcements of security issues came out asap - as they have been discovered and a patch usually has been released short after - Take as an example TYPO3.

Probably it would be a good idea to simply do those announcements in parallel for the community version and the community modules in the way also TYPO3 Security board is doing it. They are constantly testing and the community is constantly reporting and fixing after an issue had been discovered and patches are available for everyone as the main goal is to have no valnurable sites at all - no matter if enterprise or community or what's how ever. Secure is secure.

Is there a security team existing or a security mailing list for the community edition?





With kind regards,
Mit freundlichen Grüßen,
Con un cordial saludo,
Cordialement,
с сердечным приветом,
เรื่องที่เกี่ยวกับชนิด,
與親切的問候,

 ANDI BECKER

CEO/General Manager LisAndi Co., Ltd.

--------------------------------------------------

LisAndi Co. Ltd., Phuket, Thailand (lisandi.com)
15/21 M.2 Viset Road, Rawai, Muang, Phuket, Thailand 83130

Mobile: +66 (0)81 606 3378
VoIP:   +49 (0)711 50 88788 50
Fax:     +49 (0)711 50 88788 50
Skype:          lisandi
Facebook:     andibecker
Google Talk/Facetime/eMail:  andi@lisandi.com

--------------------------------------------------


On Thu, Apr 21, 2016 at 7:32 AM, Caudal Eric <caudaleric@gmail.com> wrote:

This is standard approach in the software industry to allow the users/integrators to roll out the patch all over organizations


On Wed, Apr 20, 2016, 22:42 Andreas Becker <andi@lisandi.com> wrote:
The question was not related to the security patch itself but to the fact that between it gets announced to the public and it gets provided to Enterprise Users lay several weeks. This means anybody who has an Enterprise Version or access to it, even Hackers could use that security breach to hack in any other Odoo site where the site owner/maintainer did not get informed for weeks.

IMHO it would the right way to provide the patch at the same time to all users which are using a piece of software. If an Odoo site gets hacked and it gets public and perhaps this happened because the security issue and the patch was simply no known is a damage for all Odoo Sites and not only for the one which got hacked.




With kind regards,
Mit freundlichen Grüßen,
Con un cordial saludo,
Cordialement,
с сердечным приветом,
เรื่องที่เกี่ยวกับชนิด,
與親切的問候,

 ANDI BECKER

CEO/General Manager LisAndi Co., Ltd.

--------------------------------------------------

LisAndi Co. Ltd., Phuket, Thailand (lisandi.com)
15/21 M.2 Viset Road, Rawai, Muang, Phuket, Thailand 83130

Mobile: +66 (0)81 606 3378
VoIP:   +49 (0)711 50 88788 50
Fax:     +49 (0)711 50 88788 50
Skype:          lisandi
Facebook:     andibecker
Google Talk/Facetime/eMail:  andi@lisandi.com

--------------------------------------------------


On Tue, Apr 19, 2016 at 8:52 AM, Oliver Yuan <oliver.yuan@openstone.cn> wrote:

Hi All,

I think Odoo Official treats the security in a right way. 1st of all the patch is provided to the enterprise users and the security breach details will be published later. To publish a security breach without a remedy would encourage the hackers to use the bug in the system and harm the true users.

Oliver

 
------------------ Original ------------------
From:  "Andreas Becker"<andi@lisandi.com>;
Date:  Tue, Apr 19, 2016 09:11 AM
To:  "Community"<community@mail.odoo.com>;
Subject:  Re: Security - Odoo enterprise - DB access
 

On Sat, Apr 16, 2016 at 11:10 PM, Fabien Pinckaers <fp@odoo.com> wrote:
we send them an email, along with a patch a few weeks before we disclosed the security breach publicly.

Hi Fabien

Why do you keep security issues for weeks hidden from the public? I think it is not a good way to increase public trust in customers when you leave Odoo websites open for serious security issues even you have already a patch available.

To increase TRUST in Odoo it would be much much better to provide the patch asap for everyone and of course publish the security issue immediately after it has been discovered, so that ALL users are warned, especially also those who are using not the Enterprise version.

Even much better would be to publish and report security issues of Odoo also to secunia who is providing a great database with security advisories for everyone for free. 

Security especially of an ERP system which holds hundreds, thousands perhaps even millions of customers data and their customers data should be FIRST priority and treated as this. If Odoo and its community and Team which provides the software is such a great and fast working and patching team than they really can present their fast way of patching things also publicly. Right now it looks more like the typical Microsoft way, which means that security issues get not announced publicly for weeks, months perhaps even years until a patch is available and as you wrote even than the public gets excluded for weeks from that patch which is horrible in terms of security for an enterprise and Open Source ERP System like Odoo / OpenERP is. 

A last question: How many issues have not been announced until now as your team wasn't able to provide a patch until now? Is Odoo Safe or Vulnerable?

Please disclose ALL security issuses of Odoo asap so that all in the community could help to get things patched and secure again. Thanks

Andi


With kind regards,
Mit freundlichen Grüßen,
Con un cordial saludo,
Cordialement,
с сердечным приветом,
เรื่องที่เกี่ยวกับชนิด,
與親切的問候,

 ANDI BECKER

CEO/General Manager LisAndi Co., Ltd.

--------------------------------------------------

LisAndi Co. Ltd., Phuket, Thailand (lisandi.com)
15/21 M.2 Viset Road, Rawai, Muang, Phuket, Thailand 83130

Mobile: +66 (0)81 606 3378
VoIP:   +49 (0)711 50 88788 50
Fax:     +49 (0)711 50 88788 50
Skype:          lisandi
Facebook:     andibecker
Google Talk/Facetime/eMail:  andi@lisandi.com

--------------------------------------------------

_______________________________________________

_______________________________________________
Mailing-List: https://www.odoo.com/groups/community-59
Post to: mailto:community@mail.odoo.com
Unsubscribe: https://www.odoo.com/groups?unsubscribe

_______________________________________________
Mailing-List: https://www.odoo.com/groups/community-59
Post to: mailto:community@mail.odoo.com
Unsubscribe: https://www.odoo.com/groups?unsubscribe

--

Eric  Caudal (from my mobile)

_______________________________________________
Mailing-List: https://www.odoo.com/groups/community-59
Post to: mailto:community@mail.odoo.com
Unsubscribe: https://www.odoo.com/groups?unsubscribe