pedrobaeza
commented
1 month ago Please do a responsible disclosure of any vulnerability. You can't put JSON RPC vulnerability in big in the title to call those who want to exploit it.
Closed oh2fih closed 1 month ago
pedrobaeza
commented
1 month ago Please do a responsible disclosure of any vulnerability. You can't put JSON RPC vulnerability in big in the title to call those who want to exploit it.
oh2fih
commented
1 month ago This information has been out there since Feb 23 as #617 and this fix available since Mar 30 as a part of #596, though...
pedrobaeza
commented
1 month ago Yes, and that was also a non responsible disclosure. It's not your fault though, as there's no mechanism established for this at OCA (cc @vdewulf), as there's for Odoo: https://www.odoo.com/es_ES/security-report
oh2fih
commented
1 month ago I agree. Well, https://odoo-community.org/contactus does have security contact information, but the information is a few clicks away from the repository and, therefore, slightly hard to find. Now that I have it, I'll definitely approach the security team first in the future.
sbidoul
commented
1 month ago I agree. Well, https://odoo-community.org/contactus does have security contact information, but the information is a few clicks away from the repository and, therefore, slightly hard to find. Now that I have it, I'll definitely approach the security team first in the future.
Good point, @oh2fih. I added a security policy on our GitHub organization. It is now visible on each repo.
pedrobaeza
commented
1 month ago Let's merge it although the CI is red.
sbidoul
commented
1 month ago I opened backport prs for 15, 14, 13.
12 will require manual invervention.
Fix https://github.com/OCA/server-auth/issues/617
res.company.ldap.operator operators should be private methods; public methods allow arbitrary LDAP queries via JSON-API