-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 28 Mar 2017 11:51:14 +0200 Source: tryton-server Binary: tryton-server tryton-server-doc Architecture: source all Version: 4.2.1-2 Distribution: unstable Urgency: high Maintainer: Debian Tryton Maintainers <maintainers@debian.tryton.org> Changed-By: Mathias Behrle <mathiasb@m9s.biz> Description: tryton-server - Tryton Application Platform (Server) tryton-server-doc - Tryton Application Platform (Server Documentation) Changes: tryton-server (4.2.1-2) unstable; urgency=high . * Add 02_CVE-2017-0360_sanitize_file_open.patch (CVE-2017-0360). Sanitize path in file_open against suffix. The patch for CVE-2016-1242 did not cover all cases. Indeed there is a case where an external file could be retrieved if it is stored in a folder next to the root of trytond starting with the same name but with a suffix. Example: '../trytond_suffix'. Checksums-Sha1: 8cac2b50529c3569b60c11c763a9ae2f5a4295fd 2295 tryton-server_4.2.1-2.dsc fc7ed77b9c24eb2a540505875d9d7c26b8c07e2f 41028 tryton-server_4.2.1-2.debian.tar.xz f79dd30ee6226e61f0717f115c00707430d02e30 122258 tryton-server-doc_4.2.1-2_all.deb 976404f1dddb3f464a77ec8f108f0f0d7c18e2a1 364566 tryton-server_4.2.1-2_all.deb 7e72fe8ee26f2f3e56df0640b309fd0b1b72a225 7728 tryton-server_4.2.1-2_amd64.buildinfo Checksums-Sha256: 6d294c0f7e63709021b27799f40f28936555578c0f6b86c954303e44b5753b39 2295 tryton-server_4.2.1-2.dsc 1ccd711a3e703ed01e1a79fac5a052a9d47f3dafefdfcf107fba10883215af34 41028 tryton-server_4.2.1-2.debian.tar.xz fbfcb7557e7fec683a732e7f3f1c90e32a5c6ddfe09b3ea1f69f6f077bf6791c 122258 tryton-server-doc_4.2.1-2_all.deb 81e091344f5f1d1106a8ec2f71ab5422d89ef463a04e1346d7dec1a76d8c92ba 364566 tryton-server_4.2.1-2_all.deb 469490dbe6a9f4140f793fef62475cac40a8f53b1d4bae172e1eac9d3f95f0a6 7728 tryton-server_4.2.1-2_amd64.buildinfo Files: 357bce81763e16d4235c08be54cc7db0 2295 python optional tryton-server_4.2.1-2.dsc bd47371971aaee0d4c1e4cc75f18bfe7 41028 python optional tryton-server_4.2.1-2.debian.tar.xz 8e676dbb5449095c455797cf8a1ec2d4 122258 doc optional tryton-server-doc_4.2.1-2_all.deb 883adda6430b508956164292148c892c 364566 python optional tryton-server_4.2.1-2_all.deb fb7b94b0d343a9060b82df09c259a35e 7728 python optional tryton-server_4.2.1-2_amd64.buildinfo -----BEGIN PGP SIGNATURE----- Comment: Signed by Mathias Behrle iQJFBAEBCgAvFiEErCl+XEa50LYccXaB1tCb5IQFu/YFAljaMrMRHG1hdGhpYXNi QG05cy5iaXoACgkQ1tCb5IQFu/ap1A//VB5rjV08z4tLA8xu2o9U3hwV/belGWjr mvfVoDm1c4Ej/9qv7tp9hYam5NkZxrcghicqn/YExxaaD196BGz0FloRURmDcNnk Q7Uuhq3DyzPV7RBHu1eYpK2Eu7T5MJ+5XhOeBAluzoN5ejXIeAT0VzBPsZHwnTJe nSEtBdeihgGyZxwBGAE39FkCwctCWH5SltU+mbSro5KEajRV9/8MVVCZUmnwsNau 1EbA0yuruZzSAPaZeN8Ur69uiXaIaNaAwUyKl4P+J5kHQ9E1SrhwgDNmjnpy4gcb pnKuuUb+rfLs4qMjvk2zCRGzOYZNszfBvsk1Ub8XF6Qpm+x3YkYye6X4ZS+e7ByH H9bo8OxBt4XCaJnLYJm9dJuY64WF8ql8dGh2wcFHCPAC+8hGzmNJpGdBlL2YLOpA ziGrozlQFxBj8ioLEYjF7ZZECdiQ5W4iIXBVUo+O3nMBl6X8GyCwat/+qlv2wyjv xMeyF7KWq9wTYYIq5zJiWrpn7I4pXDrLyS1Yr3046f1y2MN82LTTMTVMen2nD8kM Zllkel9kvv+ImI3rPsjo3vw1N524sChzWcSW2aW+IHFHm3Hzee3tZ6tEbHq6z/GI GmYFLHogcGGe5QsRI1Zm9gZV0vRDAHJYoIK2iEbbZRV6LNaFTS/KaEBEEP60Vvvh 0h1XZVZ9Rh4= =ePLO -----END PGP SIGNATURE-----
