Bugzilla – Bug 1117105
VUL-1: CVE-2018-19443: tryton: The client tries to make a connection to the bus in cleartext instead of encrypted under certain circumstances
Last modified: 2018-12-22 23:45:05 UTC
CVE-2018-19443 The client in Tryton 5.x before 5.0.1 tries to make a connection to the bus in cleartext instead of encrypted under certain circumstances in bus.py and jsonrpc.py. This connection attempt fails, but it contains in the header the current session of the user. This session could then be stolen by a man-in-the-middle. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-19443 http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-19443.html https://discuss.tryton.org/t/security-release-for-issue7792/830 https://bugs.tryton.org/issue7792
latest version is 4.2.18, so opensuse is not affected
We are affected in Leap 15. Fix is already in place and will be submitted short term (waiting for GNU Health Client)
Thanks for verifying and catching my error. My understanding was that only 5.X is affected and I could only find 4.2.Y in Factory.
This is an autogenerated message for OBS integration: This bug (1117105) was mentioned in https://build.opensuse.org/request/show/657440 Factory / trytond https://build.opensuse.org/request/show/657441 Factory / trytond_purchase_request https://build.opensuse.org/request/show/657442 Factory / trytond_stock_supply https://build.opensuse.org/request/show/657443 15.0 / tryton https://build.opensuse.org/request/show/657444 15.0 / trytond https://build.opensuse.org/request/show/657445 15.0 / trytond_account https://build.opensuse.org/request/show/657446 15.0 / trytond_account_invoice https://build.opensuse.org/request/show/657465 15.0 / trytond_purchase_request https://build.opensuse.org/request/show/657466 15.0 / trytond_stock https://build.opensuse.org/request/show/657468 15.0 / trytond_stock_supply https://build.opensuse.org/request/show/657469 42.3 / tryton https://build.opensuse.org/request/show/657470 42.3 / trytond https://build.opensuse.org/request/show/657471 42.3 / trytond_account https://build.opensuse.org/request/show/657472 42.3 / trytond_account_invoice https://build.opensuse.org/request/show/657477 42.3 / trytond_currency https://build.opensuse.org/request/show/657480 42.3 / trytond_purchase https://build.opensuse.org/request/show/657481 42.3 / trytond_purchase_request https://build.opensuse.org/request/show/657482 42.3 / trytond_stock https://build.opensuse.org/request/show/657484 42.3 / trytond_stock_supply
This is an autogenerated message for OBS integration: This bug (1117105) was mentioned in https://build.opensuse.org/request/show/657882 42.3 / tryton https://build.opensuse.org/request/show/657883 15.0 / tryton
done
openSUSE-SU-2018:4242-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1117105 CVE References: CVE-2018-19443 Sources used: openSUSE Leap 15.0 (src): tryton-4.2.19-lp150.2.10.1, trytond-4.2.17-lp150.2.15.1, trytond_account-4.2.10-lp150.2.3.1, trytond_account_invoice-4.2.7-lp150.2.3.1, trytond_purchase_request-4.2.4-lp150.2.3.1, trytond_stock-4.2.8-lp150.2.3.1, trytond_stock_supply-4.2.3-lp150.2.7.1 openSUSE Backports SLE-15 (src): tryton-4.2.19-bp150.2.6.1, trytond-4.2.17-bp150.2.6.1, trytond_account-4.2.10-bp150.3.3.1, trytond_account_invoice-4.2.7-bp150.3.3.1, trytond_purchase_request-4.2.4-bp150.3.3.1, trytond_stock-4.2.8-bp150.3.3.1, trytond_stock_supply-4.2.3-bp150.3.6.1
openSUSE-SU-2018:4248-1: An update that solves one vulnerability and has one errata is now available. Category: security (moderate) Bug References: 1107771,1117105 CVE References: CVE-2018-19443 Sources used: openSUSE Leap 42.3 (src): tryton-4.2.19-28.1, trytond-4.2.17-33.1, trytond_account-4.2.10-12.1, trytond_account_invoice-4.2.7-2.3.1, trytond_currency-4.2.2-6.1, trytond_purchase-4.2.6-9.1, trytond_purchase_request-4.2.4-9.1, trytond_stock-4.2.8-12.1, trytond_stock_supply-4.2.3-2.3.1