[tryton-debian-vcs] tryton-server branch debian-stretch-3.6 updated. debian/3.6.4-1-2-ga898e04
Mathias Behrle
tryton-debian-vcs at alioth.debian.org
Wed Dec 16 14:43:44 UTC 2015
The following commit has been merged in the debian-stretch-3.6 branch:
https://alioth.debian.org/plugins/scmgit/cgi-bin/gitweb.cgi/?p=tryton/tryton-server.git;a=commitdiff;h=debian/3.6.4-1-2-ga898e04
commit a898e042403dd83f33c0ca52aa9cd05f9d9af561
Author: Mathias Behrle <mathiasb at m9s.biz>
Date: Wed Dec 16 15:32:03 2015 +0100
Releasing debian version 3.6.5-1.
Signed-off-by: Mathias Behrle <mathiasb at m9s.biz>
diff --git a/debian/changelog b/debian/changelog
index 6b26b78..c847201 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+tryton-server (3.6.5-1) unstable; urgency=high
+
+ * Merging upstream version 3.6.5.
+ * Fix for CVE-2015-0861 field access on multi write.
+ https://bugs.tryton.org/issue5167
+ https://codereview.tryton.org/22631002
+
+ -- Mathias Behrle <mathiasb at m9s.biz> Wed, 16 Dec 2015 15:32:03 +0100
+
tryton-server (3.6.4-1) unstable; urgency=medium
* Setting the branch in the watch file to the fixed version 3.6.
commit fd98a955f8ac872d1081a494515429eff850005e
Author: Mathias Behrle <mathiasb at m9s.biz>
Date: Wed Dec 16 15:32:02 2015 +0100
Merging upstream version 3.6.5.
diff --git a/CHANGELOG b/CHANGELOG
index ccdaba8..cf8cef8 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,3 +1,7 @@
+Version 3.6.5 - 2015-12-16
+* Bug fixes (see mercurial logs for details)
+* Check all fields when writing a sequence of records, values (CVE-2015-0861)
+
Version 3.6.4 - 2015-11-09
* Bug fixes (see mercurial logs for details)
diff --git a/PKG-INFO b/PKG-INFO
index c90cff5..85e13cf 100644
--- a/PKG-INFO
+++ b/PKG-INFO
@@ -1,6 +1,6 @@
Metadata-Version: 1.1
Name: trytond
-Version: 3.6.4
+Version: 3.6.5
Summary: Tryton server
Home-page: http://www.tryton.org/
Author: Tryton
diff --git a/trytond.egg-info/PKG-INFO b/trytond.egg-info/PKG-INFO
index c90cff5..85e13cf 100644
--- a/trytond.egg-info/PKG-INFO
+++ b/trytond.egg-info/PKG-INFO
@@ -1,6 +1,6 @@
Metadata-Version: 1.1
Name: trytond
-Version: 3.6.4
+Version: 3.6.5
Summary: Tryton server
Home-page: http://www.tryton.org/
Author: Tryton
diff --git a/trytond/__init__.py b/trytond/__init__.py
index 04005d0..641a3db 100644
--- a/trytond/__init__.py
+++ b/trytond/__init__.py
@@ -4,7 +4,7 @@ import os
import time
from email import charset
-__version__ = "3.6.4"
+__version__ = "3.6.5"
os.environ['TZ'] = 'UTC'
if hasattr(time, 'tzset'):
diff --git a/trytond/model/modelstorage.py b/trytond/model/modelstorage.py
index 3bf8269..0d447dc 100644
--- a/trytond/model/modelstorage.py
+++ b/trytond/model/modelstorage.py
@@ -147,18 +147,19 @@ class ModelStorage(Model):
ModelAccess = pool.get('ir.model.access')
ModelFieldAccess = pool.get('ir.model.field.access')
- ModelAccess.check(cls.__name__, 'write')
- ModelFieldAccess.check(cls.__name__,
- [x for x in values if x in cls._fields], 'write')
-
assert not len(args) % 2
actions = iter((records, values) + args)
all_records = []
+ all_fields = set()
for records, values in zip(actions, actions):
if not cls.check_xml_record(records, values):
cls.raise_user_error('write_xml_record',
error_description='xml_record_desc')
all_records += records
+ all_fields.update(values.iterkeys())
+
+ ModelAccess.check(cls.__name__, 'write')
+ ModelFieldAccess.check(cls.__name__, all_fields, 'write')
# Increase transaction counter
Transaction().counter += 1
--
tryton-server
More information about the tryton-debian-vcs
mailing list