Security warning for Tryton-sao
30 views
Skip to first unread message
Axel Braun
Mar 8, 2018, 4:45:02 PM3/8/18
to try...@googlegroups.com, hea...@gnu.org
Dear all,
please be aware that there is a security issue with Tryton Sao, the web client
of the Tryton ERP platform.
Sao is based on jQuery 2.x, which is not maintained anymore [1].
The developers of jQuery state:
<quote>
jQuery 2.x is no longer maintained and contains vulnerabilities that could
lead to security issues in add-ons
</quote>
The issue that sao is based on in between unmaintained and unsecure software
components was discussed, but is unsolved up to now [2] .
As all versions of sao including Tryton 4.6 are affected, there is currently
no migration or upgrade path.
I have disabled the build for sao packages on openSUSE until further notice.
Have a good weekend
Axel
[1] https://bugs.tryton.org/issue7140
[2] https://bugs.tryton.org/issue5925
please be aware that there is a security issue with Tryton Sao, the web client
of the Tryton ERP platform.
Sao is based on jQuery 2.x, which is not maintained anymore [1].
The developers of jQuery state:
<quote>
jQuery 2.x is no longer maintained and contains vulnerabilities that could
lead to security issues in add-ons
</quote>
The issue that sao is based on in between unmaintained and unsecure software
components was discussed, but is unsolved up to now [2] .
As all versions of sao including Tryton 4.6 are affected, there is currently
no migration or upgrade path.
I have disabled the build for sao packages on openSUSE until further notice.
Have a good weekend
Axel
[1] https://bugs.tryton.org/issue7140
[2] https://bugs.tryton.org/issue5925
Cédric Krier
Mar 8, 2018, 6:40:11 PM3/8/18
to try...@googlegroups.com, hea...@gnu.org
On 2018-03-08 22:44, Axel Braun wrote:
> please be aware that there is a security issue with Tryton Sao, the web client
> of the Tryton ERP platform.
>
> Sao is based on jQuery 2.x, which is not maintained anymore [1].
>
> The developers of jQuery state:
> <quote>
> jQuery 2.x is no longer maintained and contains vulnerabilities that could
> lead to security issues in add-ons
> </quote>
>
> The issue that sao is based on in between unmaintained and unsecure software
> components was discussed, but is unsolved up to now [2] .
>
> As all versions of sao including Tryton 4.6 are affected, there is currently
> no migration or upgrade path.
>
> I have disabled the build for sao packages on openSUSE until further notice.
This is FUD. There is unknown security issue with the usage of sao.
> please be aware that there is a security issue with Tryton Sao, the web client
> of the Tryton ERP platform.
>
> Sao is based on jQuery 2.x, which is not maintained anymore [1].
>
> The developers of jQuery state:
> <quote>
> jQuery 2.x is no longer maintained and contains vulnerabilities that could
> lead to security issues in add-ons
> </quote>
>
> The issue that sao is based on in between unmaintained and unsecure software
> components was discussed, but is unsolved up to now [2] .
>
> As all versions of sao including Tryton 4.6 are affected, there is currently
> no migration or upgrade path.
>
> I have disabled the build for sao packages on openSUSE until further notice.
The security issues known for JQuery are for XSS which sao does not do,
see https://www.cvedetails.com/vulnerability-list/vendor_id-6538/Jquery.html
If you think there is any security please be responsible and follow the
proper way:
http://www.tryton.org/how-to-contribute.html#submitting-issue
If you are concern, I will suggest you to work on providing a patch for
https://bugs.tryton.org/issue5925 which will be welcomed of course.
--
Cédric Krier - B2CK SPRL
Email/Jabber: cedric...@b2ck.com
Tel: +32 472 54 46 59
Website: http://www.b2ck.com/
Reply all
Reply to author
Forward
0 new messages