MEDIUM 4.4

PYSEC-2016-41

Details

file_open in Tryton before 3.2.17, 3.4.x before 3.4.14, 3.6.x before 3.6.12, 3.8.x before 3.8.8, and 4.x before 4.0.4 allows remote authenticated users with certain permissions to read arbitrary files via the name parameter or unspecified other vectors.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / tryton

Introduced in: 0 Fixed in: 3.2.17

Fix pip install --upgrade 'tryton>=3.2.17'

References

https://bugs.tryton.org/issue5808 [REPORT]
http://www.debian.org/security/2016/dsa-3656 [ADVISORY]
http://www.tryton.org/posts/security-release-for-issue5795-and-issue5808.html [ADVISORY]