On 2018-03-08 22:44, Axel Braun wrote: > please be aware that there is a security issue with Tryton Sao, the web > client > of the Tryton ERP platform. > > Sao is based on jQuery 2.x, which is not maintained anymore [1]. > > The developers of jQuery state: > <quote> > jQuery 2.x is no longer maintained and contains vulnerabilities that could > lead to security issues in add-ons > </quote> > > The issue that sao is based on in between unmaintained and unsecure software > components was discussed, but is unsolved up to now [2] . > > As all versions of sao including Tryton 4.6 are affected, there is currently > no migration or upgrade path. > > I have disabled the build for sao packages on openSUSE until further notice.
This is FUD. There is unknown security issue with the usage of sao. The security issues known for JQuery are for XSS which sao does not do, see https://www.cvedetails.com/vulnerability-list/vendor_id-6538/Jquery.html If you think there is any security please be responsible and follow the proper way: http://www.tryton.org/how-to-contribute.html#submitting-issue If you are concern, I will suggest you to work on providing a patch for https://bugs.tryton.org/issue5925 which will be welcomed of course. -- Cédric Krier - B2CK SPRL Email/Jabber: cedric.kr...@b2ck.com Tel: +32 472 54 46 59 Website: http://www.b2ck.com/ -- You received this message because you are subscribed to the Google Groups "tryton" group. To view this discussion on the web visit https://groups.google.com/d/msgid/tryton/20180308233803.GA11830%40kei.
