* Mathias Behrle: " Bug#1070478: bookworm-pu: package tryton-server/tryton-server_6.0.29-2+deb12u2" (Mon, 6 May 2024 10:35:02 +0200):
> Package: release.debian.org > Severity: normal > Tags: bookworm > X-Debbugs-Cc: tryton-ser...@packages.debian.org > Control: affects -1 + src:tryton-server > User: release.debian....@packages.debian.org > Usertags: pu > > [ Reason ] > Backport the patch to fix the vulnerabilty to zip bomb > attacks via decoded gzip content from unauthenticated users. > https://discuss.tryton.org/t/security-release-for-issue-13142/7196 > > In coordination with the security team it was classified as NO-DSA and > rather be applicable via bookworm-pu. > > [ Impact ] > Without the patch any unauthenticated users could perform zimp bomb > attacks against tryton-server. > > [ Tests ] > The test suite completes without errors. The patch is now publicly > available and in use since 20 days. > > [ Risks ] > The patch has minimal complexity and is from the upstream author > who is generally very knowledgable about his code. > > [ Checklist ] > [x] *all* changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in (old)stable > [x] the issue is verified as fixed in unstable > > [ Changes ] > The upstream commit was added as a patch that allows gzip > compressed content only for authenticated users. > > 01_avoid_call_to_pypi.patch was refreshed to apply cleanly with no > further changes. > > [ Other info ] > This patch requires also a patch for tryton-client in a separate upload > to prevent a regression of tryton-client when it tries to send gzipped > content without authentication. Friendly ping for this one and 1070...@bugs.debian.org as well. I see that requests for bookworm-pu of other packages were accepted in the meantime. If there is something missing or wrong with this request please let me know. Thanks, Mathias -- Mathias Behrle PGP/GnuPG key availabable from any keyserver, ID: 0xD6D09BE48405BBF6 AC29 7E5C 46B9 D0B6 1C71 7681 D6D0 9BE4 8405 BBF6
