|
|
Subscribe / Log in / New account

Debian alert DLA-3853-1 (tryton-server)



From:
              Markus Koschany <apo@debian.org>


To:
              debian-lts-announce <debian-lts-announce@lists.debian.org>


Subject:
              [SECURITY] [DLA 3853-1] tryton-server security update


Date:
              Mon, 01 Jul 2024 00:11:31 +0200


Message-ID:
              <ab70a6c7d90b472e6493f7139ac0fc320cecb4a4.camel@debian.org>


-------------------------------------------------------------------------
Debian LTS Advisory DLA-3853-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                      Markus Koschany
June 30, 2024                                 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package        : tryton-server
Version        : 5.0.4-2+deb10u3
CVE ID         : not yet available

Cédric Krier has found that trytond, the Tryton application server, accepts
compressed content from unauthenticated requests which makes it vulnerable to
zip bomb attacks.

For Debian 10 buster, this problem has been fixed in version
5.0.4-2+deb10u3.

We recommend that you upgrade your tryton-server packages.

For the detailed security status of tryton-server please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/tryton-server

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS




Attachment: signature.asc (type=application/pgp-signature)

-----BEGIN PGP SIGNATURE-----

iQKTBAABCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmaB2BNfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeSvuQ/9EcKfoYC9lm4sMI0+LQCZelCrX46hfRq4Sn7nIImk/vcoyipGIAvgS+K/
EstIBTSjuJGPoPM645OiGlFUIjkVTRMt7/lwe6u4YELrSlo3qhrMKtUWlv2L0bsK
BP8AtdDcaSatCfBdAx75d6yMryF/yoUMiDl3j/qYOQXeyd9jjeWqxQUI0+AAtRzw
oXHyLiU3mjmftZaxo8D/FzLro8LcnWvGk0TX8AQ2AXiRzoUfR7yyQCmDNal9/T9D
0bVYMpywhMFbVemZzaks8GOnHW+slLM6bm/g6I8SLcYGMYsd33Ct7SMvBbDcOuC4
9MZgLv6cWK/swEJUYXFPiyJwmGMPytWXT31LFm4xttAYucszYArJFrikXDd3q87R
BiaCbocCuExGIj849N2dFT/mIx8sFcGQwJ/qXJ4E5XGqV461BwSq/XgYowAhCMCX
TqFacRkiVzuJThbaODej7reDsIpA1y6vPLQ9YFhsgn1UnJQJ6712V3trnMFhWI9m
LZCqS6qri53XD1XHezS624QwHasovzJ2dqQXFnXCbA8nheF5nTI2RMVqDoyRlFZe
5k1uFUi/pZUwoglWJ8tkC3G5ChTL0NPXTlULXYakGtZWkR139vtXKvkA0FBpNw1S
VmUQgWqQgk16iCjewX+wtk13AWF9kY2x+ATgACzT397qnC/yWSQ=
=umjl
-----END PGP SIGNATURE-----
to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds