Debian Package Tracker

From: Mathias Behrle <mathiasb@m9s.biz>
To: <debian-changes@lists.debian.org>
Subject: Accepted tryton-server 4.2.1-2+deb9u1 (source all) into proposed-updates->stable-new, proposed-updates
Date: Sun, 14 Apr 2019 10:33:17 +0000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 03 Apr 2019 20:03:31 +0200
Source: tryton-server
Binary: tryton-server tryton-server-doc
Architecture: source all
Version: 4.2.1-2+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Debian Tryton Maintainers <maintainers@debian.tryton.org>
Changed-By: Mathias Behrle <mathiasb@m9s.biz>
Description:
 tryton-server - Tryton Application Platform (Server)
 tryton-server-doc - Tryton Application Platform (Server Documentation)
Changes:
 tryton-server (4.2.1-2+deb9u1) stretch-security; urgency=high
 .
   * Include patches for CVE-2019-10868.
   * Add 03_sec_issue7766_check_read_access_in_search_domain.patch.
     This patch fixes security issue http://bugs.tryton.org/issue7766:
      Check read access on field in search domain.
      It is possible for an authenticated user to guess the value of a field
      for which he has no access right no matter if it is at the model
      or the field level. The procedure is to make dichotomous search queries
      on the model using a domain clause on the field equals value until
      the search returns the id.
      See also https://discuss.tryton.org/t/security-release-for-issue7766/
 .
   * Add 04_sec_issue8189_check_read_access_on_search_order.patch.
     This patch fixes security issue http://bugs.tryton.org/issue8189:
      Check read access on field in search_order.
      An authenticated user can order records based on a field for which
      he has no access right. This may allow the user to guess values.
      See also https://discuss.tryton.org/t/security-release-for-issue8189/
Checksums-Sha1:
 d46bbccb4666af724371ba5964d8921511f6613a 2323 tryton-server_4.2.1-2+deb9u1.dsc
 acb59596f8ced0742a754ac539dfec9e9bfd9a69 581536 tryton-server_4.2.1.orig.tar.gz
 85d619c8c60083e8a8bd1fc29f9955a41d0ed25c 53332 tryton-server_4.2.1-2+deb9u1.debian.tar.xz
 b59be8c0f241b2c12fcc3a767ddb1d3b7740dd18 122626 tryton-server-doc_4.2.1-2+deb9u1_all.deb
 fca52e233f8e8a2003c3bba94f5474e717aa4df9 365082 tryton-server_4.2.1-2+deb9u1_all.deb
 c66b5e21c2a38b8b053b2ca6a538cd44a45033eb 8043 tryton-server_4.2.1-2+deb9u1_amd64.buildinfo
Checksums-Sha256:
 a8f9b3d963ad58c36923a9ec674f5063ca47988faecc20ebb5904bedc6ccf638 2323 tryton-server_4.2.1-2+deb9u1.dsc
 475e9e5b561c228a4c33ce6b0c0b26213f49b4feaf9fb8f43c1ae8e1f4ba52c6 581536 tryton-server_4.2.1.orig.tar.gz
 accdba2af55f69b8a8b6d77c2506e45bcf7f9da88eea33f4dbb20f70ef56fc2c 53332 tryton-server_4.2.1-2+deb9u1.debian.tar.xz
 084e2f84cb4edb9740ca4e2962bcc2be3ed1b0d2907da7f3f67e0b7fd487a7f5 122626 tryton-server-doc_4.2.1-2+deb9u1_all.deb
 f8f1ceac36461418649ed103538dd9bb078eb6b2cbe9e707fa3797927721e995 365082 tryton-server_4.2.1-2+deb9u1_all.deb
 78f7da067a7f51a296d3798f5f8278d30b9eb49d5bd59dc5c3b9fb9cf4ca141f 8043 tryton-server_4.2.1-2+deb9u1_amd64.buildinfo
Files:
 a09f41c86a41aeec104ac07b21dbbeb4 2323 python optional tryton-server_4.2.1-2+deb9u1.dsc
 ab3e92100e0229ca8a48f03f3dbc5a30 581536 python optional tryton-server_4.2.1.orig.tar.gz
 3ea4e1cb9a06bdf06e858e185bab5e67 53332 python optional tryton-server_4.2.1-2+deb9u1.debian.tar.xz
 a87e364ebb20a02ef909a0b8d6321829 122626 doc optional tryton-server-doc_4.2.1-2+deb9u1_all.deb
 31bd01ef5e2d890c10d8115d3b17c906 365082 python optional tryton-server_4.2.1-2+deb9u1_all.deb
 5ba667fa98f98d400a53650688384d17 8043 python optional tryton-server_4.2.1-2+deb9u1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----
Comment: Signed by Mathias Behrle

iQJFBAEBCgAvFiEErCl+XEa50LYccXaB1tCb5IQFu/YFAlynHdoRHG1hdGhpYXNi
QG05cy5iaXoACgkQ1tCb5IQFu/YjCw//Z0ds/al0XVuiI9oBWdXhHbg3JKeKIiOc
eAt+OW080CNwrN7QAWBT/trVPV+E/R3txNMIAC6NIv7K+9YXKdTJVc9r5XS1M6KV
o6jDAvq2kQy8mGga0aItf2Qjw4u0Hwc7Dy9+ZQq9jubvIuxEO8hDDqNBej6pDnb9
5iz1r1W3WvO00Jzxj//AkTjrEd2MT83wPi/kTx5uejcOAnXF4g76CIZD9aNXwL5c
kEDxZh6omgoBi1e8n1XEQmOhgdhrBPxFhw6YvndPGrIrqt2Kn7T78YSel5EAeAwU
6U3mAt0cQScdCR8TvQcjRyI/gscHa/2SdDdVtJZgn+vVOyOeQJlywmLa3iUHqXvt
ASi2IXLtNXkgEVoUuHdqarposB0QQrzoTxm50o/naKtNUpaVAtzpXWEGGTG/jVfQ
tEhQDreIuN13Fiutl9DPBdMUYwBzzQujXaAuXW0IWTYhZrVATD+dP6Ls4zptbOSO
mtZDW0la+p8nlgLC3oVZLoOLuQAEfZz46XxrQN1v+WYZ3cYpv6LHVKBD99b+3uy9
TytMHcS1fdNPCNWhYhvmTcgA1m44RtUeTy8xo+xnJSpj/onWyGk9vT+KUarLQadG
Nmrgp/k8JmUSDLJ5BFUzNhlha7fbcLo0SQfaQhtN8TsUHEio0PV5UCoS6kWZRpcN
cwc8V1pbSFQ=
=jUU/
-----END PGP SIGNATURE-----
News for package tryton-server
