Today [3-November-2014], Odoo announced that there is a security vulnerability with all versions of Odoo/OpenERP. How is the vulnerability accessed, how do I patch it and what versions are safe?
Odoo is the world's easiest all-in-one management software.
It includes hundreds of business apps:
- CRM
- e-Commerce
- Kế toán
- Tồn kho
- PoS
- Project
- MRP
Câu hỏi này đã bị gắn cờ
1
Trả lời
4615
Lượt xem
Details are available here: https://github.com/odoo/odoo/issues/3445
*** Please Note ***
If you are an odoo SaaS user/subscriber, your instance has already been patched.
The patch is to the ~/tools/safe_eval.py file and requires the deletion of two lines of code.
Arbitrary code execution using safe eval expressions
Affects: All Odoo/OpenERP versions (6.0, 6.1, 7.0, 8.0 and all versions of SaaS)
Component: Odoo Server
Credit: "duesenfranz"
Access Vector: Network exploitable
Access Complexity: Medium
Authentication: Privileged user account required
CVSS Score: 6.7 (AV:N/AC:M/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C)
The following list contains the revisions after which the vulnerability was corrected:
I think odoo should have special page in official domain for this kind of announcement.
Agreed. They did post it on their community list: https://www.odoo.com/groups/community-59/community-9673986
So the only thing you need to edit to remove the problems are these lines? 'globals': locals, - 'locals': locals,
It was not made 100% clear in the github post but it seems so.
Bạn có hứng thú với cuộc thảo luận không? Đừng chỉ đọc, hãy tham gia nhé!
Tạo tài khoản ngay hôm nay để tận hưởng các tính năng độc đáo và tham gia cộng đồng tuyệt vời của chúng tôi!
Đăng ký