[tryton-debian-vcs] tryton-server branch debian-stretch-3.6 updated. debian/3.6.14-1-2-g8ad9741

Mathias Behrle tryton-debian-vcs at alioth.debian.org
Tue Apr 4 08:30:36 UTC 2017 

The following commit has been merged in the debian-stretch-3.6 branch:
https://alioth.debian.org/plugins/scmgit/cgi-bin/gitweb.cgi/?p=tryton/tryton-server.git;a=commitdiff;h=debian/3.6.14-1-2-g8ad9741

commit 8ad9741ebb8f335ebc1f444f2f83ede87d932ceb
Author: Mathias Behrle <mathiasb at m9s.biz>
Date:   Tue Apr 4 09:41:10 2017 +0200

    Releasing debian version 3.6.15-1.
    
    Signed-off-by: Mathias Behrle <mathiasb at m9s.biz>

diff --git a/debian/changelog b/debian/changelog
index f9906d9..56ea408 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+tryton-server (3.6.15-1) unstable; urgency=medium
+
+  * Merging upstream version 3.6.15.
+
+ -- Mathias Behrle <mathiasb at m9s.biz>  Tue, 04 Apr 2017 09:41:10 +0200
+
 tryton-server (3.6.14-1) unstable; urgency=medium
 
   * Add the actual upstream maintainer key to signing-key.asc.
commit f4f8c2d61288707710c709aa3d62168edc3d9b37
Author: Mathias Behrle <mathiasb at m9s.biz>
Date:   Tue Apr 4 09:41:10 2017 +0200

    Merging upstream version 3.6.15.

diff --git a/CHANGELOG b/CHANGELOG
index 563b167..5f9b19c 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,3 +1,7 @@
+Version 3.6.15 - 2017-04-03
+* Bug fixes (see mercurial logs for details)
+* Sanitize path in file_open against suffix (CVE-2017-0360)
+
 Version 3.6.14 - 2017-03-10
 * Bug fixes (see mercurial logs for details)
 
diff --git a/PKG-INFO b/PKG-INFO
index 1b49e3f..4a034db 100644
--- a/PKG-INFO
+++ b/PKG-INFO
@@ -1,6 +1,6 @@
 Metadata-Version: 1.1
 Name: trytond
-Version: 3.6.14
+Version: 3.6.15
 Summary: Tryton server
 Home-page: http://www.tryton.org/
 Author: Tryton
diff --git a/trytond.egg-info/PKG-INFO b/trytond.egg-info/PKG-INFO
index 1b49e3f..4a034db 100644
--- a/trytond.egg-info/PKG-INFO
+++ b/trytond.egg-info/PKG-INFO
@@ -1,6 +1,6 @@
 Metadata-Version: 1.1
 Name: trytond
-Version: 3.6.14
+Version: 3.6.15
 Summary: Tryton server
 Home-page: http://www.tryton.org/
 Author: Tryton
diff --git a/trytond/__init__.py b/trytond/__init__.py
index 64084a1..c218858 100644
--- a/trytond/__init__.py
+++ b/trytond/__init__.py
@@ -4,7 +4,7 @@ import os
 import time
 from email import charset
 
-__version__ = "3.6.14"
+__version__ = "3.6.15"
 
 os.environ['TZ'] = 'UTC'
 if hasattr(time, 'tzset'):
diff --git a/trytond/tools/misc.py b/trytond/tools/misc.py
index d85bef3..91fcc93 100644
--- a/trytond/tools/misc.py
+++ b/trytond/tools/misc.py
@@ -61,7 +61,7 @@ def file_open(name, mode="r", subdir='modules'):
         "Join paths and ensure it still below root"
         path = os.path.join(root, *paths)
         path = os.path.normpath(path)
-        if not path.startswith(root):
+        if not path.startswith(os.path.join(root, '')):
             raise IOError("Permission denied: %s" % name)
         return path
 
-- 
tryton-server

More information about the tryton-debian-vcs mailing list