[tryton-debian-vcs] tryton-server branch debian updated. debian/3.8.0-1-2-g8dfd2f7
Mathias Behrle
tryton-debian-vcs at alioth.debian.org
Wed Dec 16 14:43:44 UTC 2015
The following commit has been merged in the debian branch:
https://alioth.debian.org/plugins/scmgit/cgi-bin/gitweb.cgi/?p=tryton/tryton-server.git;a=commitdiff;h=debian/3.8.0-1-2-g8dfd2f7
commit 8dfd2f79f71a07b0cea23a9de2b503bc3aced90e
Author: Mathias Behrle <mathiasb at m9s.biz>
Date: Wed Dec 16 15:26:05 2015 +0100
Releasing debian version 3.8.1-1.
Signed-off-by: Mathias Behrle <mathiasb at m9s.biz>
diff --git a/debian/changelog b/debian/changelog
index 3291846..cc522d9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+tryton-server (3.8.1-1) unstable; urgency=high
+
+ * Merging upstream version 3.8.1.
+ * Fix for CVE-2015-0861 field access on multi write.
+ https://bugs.tryton.org/issue5167
+ https://codereview.tryton.org/22631002
+
+ -- Mathias Behrle <mathiasb at m9s.biz> Wed, 16 Dec 2015 15:26:05 +0100
+
tryton-server (3.8.0-1) unstable; urgency=medium
* Merging upstream version 3.8.0.
commit 5d5b2dfe385443d095cc5d972e3d0236976e20d0
Author: Mathias Behrle <mathiasb at m9s.biz>
Date: Wed Dec 16 15:26:04 2015 +0100
Merging upstream version 3.8.1.
diff --git a/CHANGELOG b/CHANGELOG
index 14105d6..0b08e2a 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,3 +1,7 @@
+Version 3.8.1 - 2015-12-16
+* Bug fixes (see mercurial logs for details)
+* Check all fields when writing a sequence of records, values (CVE-2015-0861)
+
Version 3.8.0 - 2015-11-02
* Bug fixes (see mercurial logs for details)
* Add test for all field methods
diff --git a/PKG-INFO b/PKG-INFO
index f18d9fe..13fbaa4 100644
--- a/PKG-INFO
+++ b/PKG-INFO
@@ -1,6 +1,6 @@
Metadata-Version: 1.1
Name: trytond
-Version: 3.8.0
+Version: 3.8.1
Summary: Tryton server
Home-page: http://www.tryton.org/
Author: Tryton
diff --git a/trytond.egg-info/PKG-INFO b/trytond.egg-info/PKG-INFO
index f18d9fe..13fbaa4 100644
--- a/trytond.egg-info/PKG-INFO
+++ b/trytond.egg-info/PKG-INFO
@@ -1,6 +1,6 @@
Metadata-Version: 1.1
Name: trytond
-Version: 3.8.0
+Version: 3.8.1
Summary: Tryton server
Home-page: http://www.tryton.org/
Author: Tryton
diff --git a/trytond/__init__.py b/trytond/__init__.py
index 5c89744..5980724 100644
--- a/trytond/__init__.py
+++ b/trytond/__init__.py
@@ -4,7 +4,7 @@ import os
import time
from email import charset
-__version__ = "3.8.0"
+__version__ = "3.8.1"
os.environ['TZ'] = 'UTC'
if hasattr(time, 'tzset'):
diff --git a/trytond/model/modelstorage.py b/trytond/model/modelstorage.py
index 3bf8269..0d447dc 100644
--- a/trytond/model/modelstorage.py
+++ b/trytond/model/modelstorage.py
@@ -147,18 +147,19 @@ class ModelStorage(Model):
ModelAccess = pool.get('ir.model.access')
ModelFieldAccess = pool.get('ir.model.field.access')
- ModelAccess.check(cls.__name__, 'write')
- ModelFieldAccess.check(cls.__name__,
- [x for x in values if x in cls._fields], 'write')
-
assert not len(args) % 2
actions = iter((records, values) + args)
all_records = []
+ all_fields = set()
for records, values in zip(actions, actions):
if not cls.check_xml_record(records, values):
cls.raise_user_error('write_xml_record',
error_description='xml_record_desc')
all_records += records
+ all_fields.update(values.iterkeys())
+
+ ModelAccess.check(cls.__name__, 'write')
+ ModelFieldAccess.check(cls.__name__, all_fields, 'write')
# Increase transaction counter
Transaction().counter += 1
--
tryton-server
More information about the tryton-debian-vcs
mailing list