28
I Use This!
High Activity

News

Analyzed 9 days ago. based on code collected 12 days ago.
Posted about 2 years ago by ced
Synopsis XML parsing vulnerabilities have been found by Jeremy Mousset in trytond and some modules. With issue11219 an authenticated user can make the server to parse a crafted XML SEPA file to access arbitrary files on the system. With ... [More] issue11244 an non authenticated user can sent a crafted XML-RPC message to consume all the resources of the server. Impact issue11219 CVSS v3.0 Base Score: 6.5 Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None issue11244 CVSS v3.0 Base Score: 7.5 Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High Workaround It is possible to activate defusedxml, define default lxml parsers that does not resolve entities and upgrade expat to 2.4.1 or newer. Resolution All affected users should upgrade trytond and proteus to the latest version. Affected versions per series: trytond: 6.2: <= 6.2.5 6.0: <= 6.0.15 5.0: <= 5.0.45 proteus 6.2: <= 6.2.1 6.0: <= 6.0.4 5.0: <= 5.0.11 Non affected versions per series: trytond: 6.2: >= 6.2.6 6.0: >= 6.0.16 5.0: >= 5.0.46 proteus: 6.2: >= 6.2.2 6.0: >= 6.0.5 5.0: >= 5.0.12 Reference Issue 11219: A user can read the content of files on the machine running trytond by exploiting XEE vulnerability in camt54 parsing - Tryton issue tracker Issue 11244: A non authenticated user can cause a denial of service with a single request using an xml bomb attack on xmlrpc - Tryton issue tracker Concern? Any security concerns should be reported on the bug-tracker at https://bugs.tryton.org/ with the type security. 2 posts - 2 participants Read full topic [Less]
Posted about 2 years ago by ced
Synopsis XML parsing vulnerabilities have been found by Jeremy Mousset in trytond and some modules. With issue11219 an authenticated user can make the server to parse a crafted XML SEPA file to access arbitrary files on the system. With ... [More] issue11244 an non authenticated user can sent a crafted XML-RPC message to consume all the resources of the server. Impact issue11219 CVSS v3.0 Base Score: 6.5 Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None issue11244 CVSS v3.0 Base Score: 7.5 Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High Workaround It is possible to activate defusedxml, define default lxml parsers that does not resolve entities and upgrade expat to 2.4.1 or newer. Resolution All affected users should upgrade trytond and proteus to the latest version. Affected versions per series: trytond: 6.2: <= 6.2.5 6.0: <= 6.0.15 5.0: <= 5.0.45 proteus 6.2: <= 6.2.1 6.0: <= 6.0.4 5.0: <= 5.0.11 Non affected versions per series: trytond: 6.2: >= 6.2.6 6.0: >= 6.0.16 5.0: >= 5.0.46 proteus: 6.2: >= 6.2.2 6.0: >= 6.0.5 5.0: >= 5.0.12 Reference Issue 11219: A user can read the content of files on the machine running trytond by exploiting XEE vulnerability in camt54 parsing - Tryton issue tracker Issue 11244: A non authenticated user can cause a denial of service with a single request using an xml bomb attack on xmlrpc - Tryton issue tracker Concern? Any security concerns should be reported on the bug-tracker at https://bugs.tryton.org/ with the type security. 1 post - 1 participant Read full topic [Less]
Posted about 2 years ago by ced
Here’s a sneak peak at the improvements that landed during the last month. Changes for the User To shipments we’ve added a field that calculates the total weight of the packages. It is now possible to configure which units are ... [More] used for the shipment volume and weight (instead of the hard coded values). The clients now have an upper limit when counting records. They also use a human readable format for the count to a precision of 4 figures, and now display the number of record selected as well. Users can now configure for each view which optional columns to display. All the list views have been reviewed to add or mark optional columns and provide a simplified version by default. The model, field and column is now displayed in the import error message. This makes it easier for the user to find mistakes in a CSV file. Tryton now also searches for the BIC when searching by bank name. And when searching bank account numbers, it only searches for the starting number. We added a test to reconcile all the lines when running the reconcile account wizard. This ensures this special case is always found even if the number of lines is greater than the reconciliation chunk. The general ledger now hides the debit/credit columns if there are no lines for the period. And by default the list opens with only the accounts that contains lines. A default statement journal is created automatically when the account_statement module is activated. This eases on-boarding new users. When searching for a payment to link to a statement line, Tryton displays first the payment with the closest amount. The chart of account now forces child accounts to have the same type as the parent account (if it has one). Tryton now supports the Shopify webhook which allows orders to be updated as soon as the event happens (instead of needing to wait for the scheduled task). The SIREN and SIRET numbers are now stored as party identifiers. And an identifier can be linked to an address in the same way as SIRET. We raise now a warning when validating a supplier invoice with the same reference as another invoice. It is now forbidden to decrease the number of digits of a measure. This is needed to prevent validation error on existing record using this measure. New Modules The Account Invoice Watermark Module adds a draft or paid watermark to the printed invoice. The Account Tax Non-Deductible Module allows defining non-deductible taxes and reporting them. The Sale Invoice Date Module fills in the invoice date for invoices created by sales. The invoice date is used for grouping, allowing invoices to be generated based on a period (i.e: for Monthly Invoices). Changes for the Developer We support limit and offset to ModelSQL count search and search_count. The ORM optimizes the query to avoid reading unnecessary records when the limit is smaller than the number of records in the table. We improved the parsing of get_eval_fields function to be 60% faster. The desktop client uses by default UTF-8 with BOM for the CSV import/export. The domain of Reference fields are now a dictionary which contain a domain per target model. The order of unsorted Selection field is now based on the index of the field definition. For example ordering sales by state field, will put first the draft then quotation etc. The server retries by default 5 times on temporary SMTP server error. We replaced the ilike operator on Reference field by a simple like. This may allow the database engine to use indexes. 1 post - 1 participant Read full topic [Less]
Posted about 2 years ago by ced
Here’s a sneak peak at the improvements that landed during the last month. Changes for the User To shipments we’ve added a field that calculates the total weight of the packages. It is now possible to configure which units are ... [More] used for the shipment volume and weight (instead of the hard coded values). The clients now have an upper limit when counting records. They also use a human readable format for the count to a precision of 4 figures, and now display the number of record selected as well. Users can now configure for each view which optional columns to display. All the list views have been reviewed to add or mark optional columns and provide a simplified version by default. The model, field and column is now displayed in the import error message. This makes it easier for the user to find mistakes in a CSV file. Tryton now also searches for the BIC when searching by bank name. And when searching bank account numbers, it only searches for the starting number. We added a test to reconcile all the lines when running the reconcile account wizard. This ensures this special case is always found even if the number of lines is greater than the reconciliation chunk. The general ledger now hides the debit/credit columns if there are no lines for the period. And by default the list opens with only the accounts that contains lines. A default statement journal is created automatically when the account_statement module is activated. This eases on-boarding new users. When searching for a payment to link to a statement line, Tryton displays first the payment with the closest amount. The chart of account now forces child accounts to have the same type as the parent account (if it has one). Tryton now supports the Shopify webhook which allows orders to be updated as soon as the event happens (instead of needing to wait for the scheduled task). The SIREN and SIRET numbers are now stored as party identifiers. And an identifier can be linked to an address in the same way as SIRET. We now raise a warning when validating a supplier invoice that has the same reference as another invoice. It is now forbidden to decrease the number of digits of a unit of measure. This was needed to prevent validation errors on existing records that use that unit of measure. New Modules The Account Invoice Watermark Module adds a draft or paid watermark to the printed invoice. The Account Tax Non-Deductible Module allows defining non-deductible taxes and reporting them. The Sale Invoice Date Module fills in the invoice date for invoices created by sales. The invoice date is used for grouping, allowing invoices to be generated based on a period (i.e: for Monthly Invoices). Changes for the Developer We support limit and offset to ModelSQL count search and search_count. The ORM optimizes the query to avoid reading unnecessary records when the limit is smaller than the number of records in the table. We improved the parsing in the get_eval_fields function to be 60% faster. The desktop client uses, by default, UTF-8 with BOM for the CSV import/export. The domain of a Reference field is now a dictionary which contains a separate domain for each target model. The order of unsorted Selection fields is now based on the index of the field definition. For example ordering sales by the state field, will put drafts first, then quotations, etc. The server retries by default 5 times on temporary SMTP server errors. We replaced the ilike operator on Reference fields by a simple like. This may allow the database engine to use indexes. 2 posts - 1 participant Read full topic [Less]
Posted about 2 years ago by ced
Time goes by and improvements to Tryton continue to be made. Here you can find the latest changes which have been included in the last month. Changes for the User The forecasts are now used for all supply calculations instead of only ... [More] the purchase requests. In the web client, the list of tabs no longer wraps on large screens but scrolls horizontally and each tab entry takes up the full width on small screens. We now calculate an early date for the partial quantity if there isn’t one for the full quantity. It is no longer possible to close (or remove) the type of an account that is already used in account move lines. The auto-detection of CSV headers now stops on the first error in the web client. We now support editing Shopify orders. The accounts can have another type when their balance is a credit. This is the opposite of the existing debit type. We do not create any more dunning for lines with pending payment. Production orders with missing early moves are no more proposed for early planning. We renamed the split lines accounting wizard into reschedule lines to be less confusing. Changes for the System Administrator The country module supports pycountry version 22.1.10. We mirror the geonames zip files and use our mirror by default. This was needed because the original host has frequent downtime. We removed the entropy check on user password. We found that it was not a good way to enforce good password. We recommend to use the forbidden list instead. Changes for the Developer We process sales for Shopify asynchronously as it can be quite slow due to the Shopify rate limit. The view_id is now set in the context when parsing the view. So it can be used to apply attributes depending on the view in ModelView.view_attributes. We replaced the deepcopy of the JSON-RPC result in the desktop client by a faster implementation based on the json types. The country module can now load subdivisions with unknown types. This was needed to support future versions of pycountry. The ORM uses now the already cached data to instantiate relational target records for which the context depends on other fields. This optimization prevents extra SQL queries for most of the cases. The stock margin report retrieves the product’s unit from the SQL query instead of using a Function field which was triggering a second execution of the table query. We replaced the back-off time on Shopify API calls by an automatic retry loop. This allows to make the first calls quickly until it consume the available bucket. The board action domain is now limited to active_id and active_ids and they are stored in a dedicated _actions dictionary. We added on ir.ui.view the view_get RPC method which can be used by the board to support inheritance like the other views. The xpath inheritance of views applies now on all matching elements (instead of only the first) by default. 2 posts - 2 participants Read full topic [Less]
Posted about 2 years ago by ced
Time goes by and improvements to Tryton continue to be made. Here you can find the latest changes which have been included in the last month. Changes for the User The forecasts are now used for all supply calculations instead of only ... [More] the purchase requests. In the web client, the list of tabs no longer wraps on large screens but scrolls horizontally and each tab entry takes up the full width on small screens. We now calculate an early date for the partial quantity if there isn’t one for the full quantity. It is no longer possible to close (or remove) the type of an account that is already used in account move lines. The auto-detection of CSV headers now stops on the first error in the web client. We now support editing Shopify orders. The accounts can have another type when their balance is a credit. This is the opposite of the existing debit type. We do not create any more dunning for lines with pending payment. Production orders with missing early moves are no more proposed for early planning. We renamed the split lines accounting wizard into reschedule lines to be less confusing. Changes for the System Administrator The country module supports pycountry version 22.1.10. We mirror the geonames zip files and use our mirror by default. This was needed because the original host has frequent downtime. We removed the entropy check on user password. We found that it was not a good way to enforce good password. We recommend to use the forbidden list instead. Changes for the Developer We process sales for Shopify asynchronously as it can be quite slow due to the Shopify rate limit. The view_id is now set in the context when parsing the view. So it can be used to apply attributes depending on the view in ModelView.view_attributes. We replaced the deepcopy of the JSON-RPC result in the desktop client by a faster implementation based on the json types. The country module can now load subdivisions with unknown types. This was needed to support future versions of pycountry. The ORM uses now the already cached data to instantiate relational target records for which the context depends on other fields. This optimization prevents extra SQL queries for most of the cases. The stock margin report retrieves the product’s unit from the SQL query instead of using a Function field which was triggering a second execution of the table query. We replaced the back-off time on Shopify API calls by an automatic retry loop. This allows to make the first calls quickly until it consume the available bucket. The board action domain is now limited to active_id and active_ids and they are stored in a dedicated _actions dictionary. We added on ir.ui.view the view_get RPC method which can be used by the board to support inheritance like the other views. The xpath inheritance of views applies now on all matching elements (instead of only the first) by default. 1 post - 1 participant Read full topic [Less]
Posted about 2 years ago by ced
The Tryton team wishes you a happy new year. Here are the changes that the team has already prepared for the next version. Changes for the User We store the factors used to allocate landed costs. They will be used if the landed cost ... [More] is cancelled instead of recalculating them (which can result in different factors over time). When recalling advance payments we now invoice a negative quantity instead of a negative price. The attention name is now part of the default address format. Changes for the System Administrator It is now possible to set combined authentication method options which can be used to make some of the authentication methods optional. In a base installation of Tryton the options are for connections from an IP address in a known network and for client connections from a known device. This can be used, for example, to enforce the second factor, such as SMS authentication, only for external IPs. Changes for the Developer We’ve added a simple logger to the web client which provides similar API to the python logger. The log level can be changed from the browser console by running: Sao.Logger.set_level(Sao.Logging.INFO); We now enforce the import order in the .py files using isort (see our Python style guidelines). The tests, run with tox, now report their coverage. It is now possible with the creatable attribute to specify if a view can be used to create new record. The client will automatically switch to another view if the user tries to create a record from a view where this is false, even if the view is editable. We’ve added support for Python 3.10 and removed Python 3.6 following to our policy to support only upstream supported versions. The Shopify module will delete only the metafields that are managed by Tryton. We’ve replaced the balanced move check Python code with an SQL query. This speeds up the process a lot especially for moves that have lots of lines. 3 posts - 3 participants Read full topic [Less]
Posted about 2 years ago by ced
The Tryton team wishes you a happy new year. Here are the changes that the team has already prepared for the next version. Changes for the User We store the factors used to allocate landed costs. They will be used if the landed cost ... [More] is cancelled instead of recalculating them (which can result in different factors over time). When recalling advance payments we now invoice a negative quantity instead of a negative price. The attention name is now part of the default address format. Changes for the System Administrator It is now possible to set combined authentication method options which can be used to make some of the authentication methods optional. In a base installation of Tryton the options are for connections from an IP address in a known network and for client connections from a known device. This can be used, for example, to enforce the second factor, such as SMS authentication, only for external IPs. Changes for the Developer We’ve added a simple logger to the web client which provides similar API to the python logger. The log level can be changed from the browser console by running: Sao.Logger.set_level(Sao.Logging.INFO); We now enforce the import order in the .py files using isort (see our Python style guidelines). The tests, run with tox, now report their coverage. It is now possible with the creatable attribute to specify if a view can be used to create new record. The client will automatically switch to another view if the user tries to create a record from a view where this is false, even if the view is editable. We’ve added support for Python 3.10 and removed Python 3.6 following to our policy to support only upstream supported versions. The Shopify module will delete only the metafields that are managed by Tryton. We’ve replaced the balanced move check Python code with an SQL query. This speeds up the process a lot especially for moves that have lots of lines. 2 posts - 2 participants Read full topic [Less]
Posted about 2 years ago by ced
The Tryton team wishes you a happy new year. Here are the changes that the team has already prepared for the next version. Changes for the User We store the factors used to allocate landed costs. They will be used if the landed cost ... [More] is cancelled instead of recalculating them (which can result in different factors over time). When recalling advance payments we now invoice a negative quantity instead of a negative price. The attention name is now part of the default address format. Changes for the System Administrator It is now possible to set combined authentication method options which can be used to make some of the authentication methods optional. In a base installation of Tryton the options are for connections from an IP address in a known network and for client connections from a known device. This can be used, for example, to enforce the second factor, such as SMS authentication, only for external IPs. Changes for the Developer We’ve added a simple logger to the web client which provides similar API to the python logger. The log level can be changed from the browser console by running: Sao.Logger.set_level(Sao.Logging.INFO); We now enforce the import order in the .py files using isort (see our Python style guidelines). The tests, run with tox, now report their coverage. It is now possible with the creatable attribute to specify if a view can be used to create new record. The client will automatically switch to another view if the user tries to create a record from a view where this is false, even if the view is editable. We’ve added support for Python 3.10 and removed Python 3.6 following to our policy to support only upstream supported versions. The Shopify module will delete only the metafields that are managed by Tryton. We’ve replaced the balanced move check Python code with an SQL query. This speeds up the process a lot especially for moves that have lots of lines. 1 post - 1 participant Read full topic [Less]
Posted over 2 years ago by pokoli
As we are ending the year I will like to give an update about the tasks performed by the foundation. Unfortunately we haven’t still finished the two tasks that were founded on the Foundation Budget Update: Creating an overview of the ... [More] infrastructure. Improving our website contents. Our apologies by having not completed them yet . We all had a hard time last year and a reduced quantity of resources. Having said that, we want to clarify that the budgeted money for this tasks isn’t spent yet. Our plan is to perform them in the next year. We haven’t received any proposal for the infrastructure maintenance for the next year. But we would like to thank B2CK for continuing providing us a reliable infrastructure. Despite not having the infrastructure overview available I will encourage anyone willing to help on such task to contact the foundation or send me a direct message expressing his interest. We will be happy to comment any proposal and provide more details of the needed work. On the other had, I have some news related to other foundation mission’s: Protect the Tryton trademark. We have renewed the Tryton Trademark registration for the next 10 years . Our commitment is to continue improving step by step, so I will like to advance some of the topics we are planning to work on: The budget for the next year. The board of foundation directors renewal until November 2022. I’ll like to remember that the foundation exists due its supporters and you can become one by sending us an email. If you want to support the project I will encourage you to become a supporter. Also we are open to suggestions and feedback and we want to listen all voices in the community. If you have some idea or something that you think its relevant for the next foundation budget I will encourage you to share it on the forum or contact the foundation. I can not end without a photo of our Spanish Santa Claus: Merry Christmas and Happy New Year for everyone! 2 posts - 2 participants Read full topic [Less]