[tryton-debian-vcs] tryton-server branch upstream-3.4 updated. upstream/3.4.16-1-gb7bdfd0

Mathias Behrle tryton-debian-vcs at alioth.debian.org
Tue Apr 4 08:30:37 UTC 2017 

The following commit has been merged in the upstream-3.4 branch:
https://alioth.debian.org/plugins/scmgit/cgi-bin/gitweb.cgi/?p=tryton/tryton-server.git;a=commitdiff;h=upstream/3.4.16-1-gb7bdfd0

commit b7bdfd01098124e4fdc02268ecd78544c2deb955
Author: Mathias Behrle <mathiasb at m9s.biz>
Date:   Tue Apr 4 09:39:38 2017 +0200

    Adding upstream version 3.4.17.
    
    Signed-off-by: Mathias Behrle <mathiasb at m9s.biz>

diff --git a/CHANGELOG b/CHANGELOG
index 537eff3..703f523 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,3 +1,7 @@
+Version 3.4.17 - 2017-04-03
+* Bug fixes (see mercurial logs for details)
+* Sanitize path in file_open against suffix (CVE-2017-0360)
+
 Version 3.4.16 - 2017-03-10
 * Bug fixes (see mercurial logs for details)
 
diff --git a/PKG-INFO b/PKG-INFO
index f06260f..10f9554 100644
--- a/PKG-INFO
+++ b/PKG-INFO
@@ -1,6 +1,6 @@
 Metadata-Version: 1.1
 Name: trytond
-Version: 3.4.16
+Version: 3.4.17
 Summary: Tryton server
 Home-page: http://www.tryton.org/
 Author: Tryton
diff --git a/trytond.egg-info/PKG-INFO b/trytond.egg-info/PKG-INFO
index f06260f..10f9554 100644
--- a/trytond.egg-info/PKG-INFO
+++ b/trytond.egg-info/PKG-INFO
@@ -1,6 +1,6 @@
 Metadata-Version: 1.1
 Name: trytond
-Version: 3.4.16
+Version: 3.4.17
 Summary: Tryton server
 Home-page: http://www.tryton.org/
 Author: Tryton
diff --git a/trytond/tools/misc.py b/trytond/tools/misc.py
index 598f25a..a75fef2 100644
--- a/trytond/tools/misc.py
+++ b/trytond/tools/misc.py
@@ -62,7 +62,7 @@ def file_open(name, mode="r", subdir='modules'):
         "Join paths and ensure it still below root"
         path = os.path.join(root, *paths)
         path = os.path.normpath(path)
-        if not path.startswith(root):
+        if not path.startswith(os.path.join(root, '')):
             raise IOError("Permission denied: %s" % name)
         return path
 
diff --git a/trytond/version.py b/trytond/version.py
index 1965908..b3dc7bb 100644
--- a/trytond/version.py
+++ b/trytond/version.py
@@ -1,6 +1,6 @@
 #This file is part of Tryton.  The COPYRIGHT file at the top level of
 #this repository contains the full copyright notices and license terms.
 PACKAGE = "trytond"
-VERSION = "3.4.16"
+VERSION = "3.4.17"
 LICENSE = "GPL-3"
 WEBSITE = "http://www.tryton.org/"
-- 
tryton-server

More information about the tryton-debian-vcs mailing list