Security update for tryton SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2018:4242-1 Final 1 1 2018-12-22T12:28:06Z current 2018-12-22T12:28:06Z 2018-12-22T12:28:06Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for tryton This update for tryton to version 4.2.19 fixes the following issues: Security issue fixed: - CVE-2018-19443: Fixed an information leakage by attemping to initiate an unencrypted connection, which would fail eventually, but might leak session information of the user (boo#1117105) This update also contains newer versions of tryton related packages with general bug fixes and updates: - trytond 4.2.17 - trytond_account 4.2.10 - trytond_account_invoice 4.2.7 - trytond_purchase_request 4.2.4 - trytond_stock 4.2.8 - trytond_stock_supply 4.2.3 The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) http://lists.opensuse.org/opensuse-security-announce/2018-12/msg00056.html E-Mail link for openSUSE-SU-2018:4242-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE Package Hub for SUSE Linux Enterprise 15 tryton-4.2.19-bp150.2.6.1 trytond-4.2.17-bp150.2.6.1 trytond_account-4.2.10-bp150.3.3.1 trytond_account_invoice-4.2.7-bp150.3.3.1 trytond_purchase_request-4.2.4-bp150.3.3.1 trytond_stock-4.2.8-bp150.3.3.1 trytond_stock_supply-4.2.3-bp150.3.6.1 tryton-4.2.19-bp150.2.6.1 as a component of SUSE Package Hub for SUSE Linux Enterprise 15 trytond-4.2.17-bp150.2.6.1 as a component of SUSE Package Hub for SUSE Linux Enterprise 15 trytond_account-4.2.10-bp150.3.3.1 as a component of SUSE Package Hub for SUSE Linux Enterprise 15 trytond_account_invoice-4.2.7-bp150.3.3.1 as a component of SUSE Package Hub for SUSE Linux Enterprise 15 trytond_purchase_request-4.2.4-bp150.3.3.1 as a component of SUSE Package Hub for SUSE Linux Enterprise 15 trytond_stock-4.2.8-bp150.3.3.1 as a component of SUSE Package Hub for SUSE Linux Enterprise 15 trytond_stock_supply-4.2.3-bp150.3.6.1 as a component of SUSE Package Hub for SUSE Linux Enterprise 15 The client in Tryton 5.x before 5.0.1 tries to make a connection to the bus in cleartext instead of encrypted under certain circumstances in bus.py and jsonrpc.py. This connection attempt fails, but it contains in the header the current session of the user. This session could then be stolen by a man-in-the-middle. CVE-2018-19443 SUSE Package Hub for SUSE Linux Enterprise 15:tryton-4.2.19-bp150.2.6.1 SUSE Package Hub for SUSE Linux Enterprise 15:trytond-4.2.17-bp150.2.6.1 SUSE Package Hub for SUSE Linux Enterprise 15:trytond_account-4.2.10-bp150.3.3.1 SUSE Package Hub for SUSE Linux Enterprise 15:trytond_account_invoice-4.2.7-bp150.3.3.1 SUSE Package Hub for SUSE Linux Enterprise 15:trytond_purchase_request-4.2.4-bp150.3.3.1 SUSE Package Hub for SUSE Linux Enterprise 15:trytond_stock-4.2.8-bp150.3.3.1 SUSE Package Hub for SUSE Linux Enterprise 15:trytond_stock_supply-4.2.3-bp150.3.6.1 moderate Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2018-12/msg00056.html https://www.suse.com/security/cve/CVE-2018-19443.html CVE-2018-19443 https://bugzilla.suse.com/1117105 SUSE Bug 1117105