[tryton-debian-vcs] tryton-server branch debian-stretch-4.0 updated. debian/4.0.7-1-2-gc04976c

Mathias Behrle tryton-debian-vcs at alioth.debian.org
Tue Apr 4 08:30:37 UTC 2017 

The following commit has been merged in the debian-stretch-4.0 branch:
https://alioth.debian.org/plugins/scmgit/cgi-bin/gitweb.cgi/?p=tryton/tryton-server.git;a=commitdiff;h=debian/4.0.7-1-2-gc04976c

commit c04976cf5023d8e9180b8cdcef2fdbb4c51b4302
Author: Mathias Behrle <mathiasb at m9s.biz>
Date:   Tue Apr 4 09:46:51 2017 +0200

    Releasing debian version 4.0.8-1.
    
    Signed-off-by: Mathias Behrle <mathiasb at m9s.biz>

diff --git a/debian/changelog b/debian/changelog
index 1ee9385..98905a4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+tryton-server (4.0.8-1) unstable; urgency=medium
+
+  * Merging upstream version 4.0.8.
+
+ -- Mathias Behrle <mathiasb at m9s.biz>  Tue, 04 Apr 2017 09:46:51 +0200
+
 tryton-server (4.0.7-1) unstable; urgency=medium
 
   * Add the actual upstream maintainer key to signing-key.asc.
commit 52c963bb681a7f72a34e99d2e104c9c27c4eff40
Author: Mathias Behrle <mathiasb at m9s.biz>
Date:   Tue Apr 4 09:46:50 2017 +0200

    Merging upstream version 4.0.8.

diff --git a/CHANGELOG b/CHANGELOG
index 509600d..67d955b 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,3 +1,7 @@
+Version 4.0.8 - 2017-04-03
+* Bug fixes (see mercurial logs for details)
+* Sanitize path in file_open against suffix (CVE-2017-0360)
+
 Version 4.0.7 - 2017-03-10
 * Bug fixes (see mercurial logs for details)
 
diff --git a/PKG-INFO b/PKG-INFO
index a2155eb..95b80c3 100644
--- a/PKG-INFO
+++ b/PKG-INFO
@@ -1,6 +1,6 @@
 Metadata-Version: 1.1
 Name: trytond
-Version: 4.0.7
+Version: 4.0.8
 Summary: Tryton server
 Home-page: http://www.tryton.org/
 Author: Tryton
diff --git a/trytond.egg-info/PKG-INFO b/trytond.egg-info/PKG-INFO
index a2155eb..95b80c3 100644
--- a/trytond.egg-info/PKG-INFO
+++ b/trytond.egg-info/PKG-INFO
@@ -1,6 +1,6 @@
 Metadata-Version: 1.1
 Name: trytond
-Version: 4.0.7
+Version: 4.0.8
 Summary: Tryton server
 Home-page: http://www.tryton.org/
 Author: Tryton
diff --git a/trytond/__init__.py b/trytond/__init__.py
index 893b15d..946b92a 100644
--- a/trytond/__init__.py
+++ b/trytond/__init__.py
@@ -5,7 +5,7 @@ import time
 import logging
 from email import charset
 
-__version__ = "4.0.7"
+__version__ = "4.0.8"
 logger = logging.getLogger(__name__)
 
 os.environ['TZ'] = 'UTC'
diff --git a/trytond/tools/misc.py b/trytond/tools/misc.py
index 7983778..94de9cb 100644
--- a/trytond/tools/misc.py
+++ b/trytond/tools/misc.py
@@ -61,7 +61,7 @@ def file_open(name, mode="r", subdir='modules', encoding=None):
         "Join paths and ensure it still below root"
         path = os.path.join(root, *paths)
         path = os.path.normpath(path)
-        if not path.startswith(root):
+        if not path.startswith(os.path.join(root, '')):
             raise IOError("Permission denied: %s" % name)
         return path
 
-- 
tryton-server

More information about the tryton-debian-vcs mailing list