Debian Security Advisory

DLA-607-1 tryton-server -- LTS security update

Date Reported:
31 Aug 2016
Affected Packages:
tryton-server
Vulnerable:
Yes
Security database references:
In Mitre's CVE dictionary: CVE-2016-1242.
More information:

The file_open syscall did not prevent the use of an up-level reference in a file name. A forged Report name could be used to open a file outside the root directory of trytond.

For Debian 8 Jessie, this problem has been fixed in version 2.2.4-1+deb7u3.

We recommend that you upgrade your ikiwiki packages. In addition it is also recommended that you have liblwpx-paranoidagent-perl installed, which listed in the recommends field of ikiwiki.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS