Bug#1070478: bookworm-pu: package tryton-server/tryton-server_6.0.29-2+deb12u2

To: 1070478@bugs.debian.org
Subject: Bug#1070478: bookworm-pu: package tryton-server/tryton-server_6.0.29-2+deb12u2
From: Mathias Behrle <mbehrle@debian.org>
Date: Mon, 10 Jun 2024 08:02:09 +0200
Message-id: <[🔎] 20240610080209.153bb676@monsterix.mbehrle.de>
Reply-to: Mathias Behrle <mbehrle@debian.org>, 1070478@bugs.debian.org
In-reply-to: <20240506103502.1ed277de@monsterix.mbehrle.de>
References: <20240506103502.1ed277de@monsterix.mbehrle.de> <20240506103502.1ed277de@monsterix.mbehrle.de>

* Mathias Behrle: " Bug#1070478: bookworm-pu: package
  tryton-server/tryton-server_6.0.29-2+deb12u2" (Mon, 6 May 2024 10:35:02
  +0200):

> Package: release.debian.org
> Severity: normal
> Tags: bookworm
> X-Debbugs-Cc: tryton-server@packages.debian.org
> Control: affects -1 + src:tryton-server
> User: release.debian.org@packages.debian.org
> Usertags: pu
> 
> [ Reason ]
> Backport the patch to fix the vulnerabilty to zip bomb
> attacks via decoded gzip content from unauthenticated users.
> https://discuss.tryton.org/t/security-release-for-issue-13142/7196
> 
> In coordination with the security team it was classified as NO-DSA and
> rather be applicable via bookworm-pu.
> 
> [ Impact ]
> Without the patch any unauthenticated users could perform zimp bomb
> attacks against tryton-server.
> 
> [ Tests ]
> The test suite completes without errors. The patch is now publicly
> available and in use since 20 days.
> 
> [ Risks ]
> The patch has minimal complexity and is from the upstream author
> who is generally very knowledgable about his code.
> 
> [ Checklist ]
>   [x] *all* changes are documented in the d/changelog
>   [x] I reviewed all changes and I approve them
>   [x] attach debdiff against the package in (old)stable
>   [x] the issue is verified as fixed in unstable
> 
> [ Changes ]
> The upstream commit was added as a patch that allows gzip
> compressed content only for authenticated users.
> 
> 01_avoid_call_to_pypi.patch was refreshed to apply cleanly with no
> further changes.
> 
> [ Other info ]
> This patch requires also a patch for tryton-client in a separate upload
> to prevent a regression of tryton-client when it tries to send gzipped
> content without authentication.


Friendly ping for this one and 1070484@bugs.debian.org as well.

I see that requests for bookworm-pu of other packages were accepted in the
meantime. If there is something missing or wrong with this request please let
me know.

Thanks,
Mathias



-- 

    Mathias Behrle
    PGP/GnuPG key availabable from any keyserver, ID: 0xD6D09BE48405BBF6
    AC29 7E5C 46B9 D0B6 1C71  7681 D6D0 9BE4 8405 BBF6

Reply to:

Prev by Date: NEW changes in oldstable-new
Next by Date: Bug#1070484: bookworm-pu: package tryton-client/tryton-client_6.0.26-1+deb12u1
Previous by thread: Processed: dns-root-data 2024041801~deb11u1 flagged for acceptance
Next by thread: Bug#1070478: bookworm-pu: package tryton-server/tryton-server_6.0.29-2+deb12u2
Index(es):
- Date
- Thread