Security Release for issue #13142

from Tryton Discussion 2 weeks ago

Cédric Krier has found that trytond accepts compressed content from unauthenticated requests which makes it vulnerable to zip bomb attacks.
Tryton Discussionhttps://discuss.tryton.org/t/security-release-for-issue-13142/7196

A proxy can be deployed in front of the trytond server to forbid this kind of request.
Tryton Discussionhttps://discuss.tryton.org/t/security-release-for-issue-13142/7196

All affected users should upgrade trytond to the latest version.
Tryton Discussionhttps://discuss.tryton.org/t/security-release-for-issue-13142/7196

Any security concerns should be reported on the bug-tracker at https://bugs.tryton.org/ with the confidential checkbox checked.
Tryton Discussionhttps://discuss.tryton.org/t/security-release-for-issue-13142/7196

Read at Tryton Discussion

#trytond #security-vulnerability #zip-bomb-attacks

[

]

[

...

]

Security Release for issue #13142Security Release for issue #13142 Briefly

Security Release for issue #13142
Security Release for issue #13142
Briefly