I'm little bit surprise that my post (http://openobject.com/forum/topic12786.html) has been deleted without any comment or warning. I would like to know what was wrong with this post? Because it didn't disclose any information about how to use the security hole and more over, it gives information about how to report security issue. And by the way, it is not the first post to talk about security like "About security of xmlrpc interface. (http://www.openobject.com/forum/topic12453.html?highlight=security%20xmlrpc)" But on the other hand, the patch has been applied publicly in launchpad and it discloses information how to exploit the hole. For me, the good way will be to fix the issue locally, create a new release (still locally), publish it, request a CVE (http://cve.mitre.org/) id and then push the patch in launchpad. Like that the issue is not disclosed before new release.
------------------------ Cédric Krier http://www.b2ck.com/ http://www.tryton.org/ -------------------- m2f -------------------- -- http://www.openobject.com/forum/viewtopic.php?p=42576#42576 -------------------- m2f --------------------
_______________________________________________ Tinyerp-users mailing list http://tiny.be/mailman2/listinfo/tinyerp-users
