Planet Open ERP

Planet Open Object

openerp: what's new online

Tuesday, May 18, 2010

Security Bugfixes for Stable 5.0.11

Hello all,

During the last month or so we worked on fixing outstanding potential sql injection vectors in the server [1] and various addons [2].
These branches are currently in my launchpad account [3] and we're planning on merging them into stable with 5.0.11.

They should be stable, but we might have introduced a few bugs (or missed a few vectors), would it be possible that you test them and report back?

Thank you very much.
Regards,

Stéphane Wirtel

[1] https://code.launchpad.net/~stephane-openerp/openobject-addons/5.0_security_branche_sql_injection
[2] https://code.launchpad.net/~stephane-openerp/openobject-server/5.0_security_branche_sql_injection
[3] https://code.launchpad.net/~stephane-openerp

6 comments:

Cédric Krier said...

Really strange to make security issues public before release.
I find that is not a professional behavior and it doesn't follow the OpenERP SA announced process about this kind of issue.

Nhomar said...

Im not agree with this.... all security issues must be open exactly in this way, every implementation must be secured by the own administrator...

Great Notice stephane, i will proof and we will give our feedback by expert mailing list!.

Cédric Krier said...

@Nhomar what I try to say it is that doing this goes in the opposite way of what OpenERP SA has told they will fix security in OpenERP.
Some months ago, I started a thread on the forum to know how to report security issue. It was told that it must use launchpad bug-tracker with the security flag (which make it visible to only security team). By the way, my thread was deleted.
There was also an other example with a tweet of @datrus (if I remember well) about a security issue and again the tweet was deleted at OpenERP SA demand.

So all I want to point is that this branch is completely in disagreement with OpenERP SA process.

After it is a long debat between "full disclosure" or "limited disclosure".

Nhomar said...

@Cédric

Hello.

The security issues, _must_ be markedin launchpad like "Security Bug", and it will be treated like this.

In community days OpenERP SA said that the security hole will be released inmediatly to paid users with mantinance program.... It is well... but I think the order should be....

-- Post Bug.
-- Update openERPSA customers....
-- Release a beta (exactly in this way).
-- Merge in next release

_never_ the first step should be
-- Post on twiter ---- :-s

BTW If your post was deleted probably OpenERP SA is working on it.... but you need mark in this way for you have available access in future by your user...

Please check this:
https://help.launchpad.net/Bugs/Subscriptions/#Bug%20mail%20headers

regards

Cédric Krier said...

@Nhomar
First, it was not my tweet and the issue is still not fixed.
I completely disagree with the release beta process. It must be directly a release because nobody will update a production software with a beta release.

Anderson Joey said...

Great blog post. I used to be checking continuously this blog and I am impressed! Extremely helpful information specially the closing phase :) I deal with such info a lot. I used to be seeking this particular information for a very lengthy time. Thanks and good luck.
ERP Ecuador