Closed oh2fih closed 1 month ago
Please do a responsible disclosure of any vulnerability. You can't put JSON RPC vulnerability
in big in the title to call those who want to exploit it.
This information has been out there since Feb 23 as #617 and this fix available since Mar 30 as a part of #596, though...
Yes, and that was also a non responsible disclosure. It's not your fault though, as there's no mechanism established for this at OCA (cc @vdewulf), as there's for Odoo: https://www.odoo.com/es_ES/security-report
I agree. Well, https://odoo-community.org/contactus does have security contact information, but the information is a few clicks away from the repository and, therefore, slightly hard to find. Now that I have it, I'll definitely approach the security team first in the future.
I agree. Well, https://odoo-community.org/contactus does have security contact information, but the information is a few clicks away from the repository and, therefore, slightly hard to find. Now that I have it, I'll definitely approach the security team first in the future.
Good point, @oh2fih. I added a security policy on our GitHub organization. It is now visible on each repo.
Let's merge it although the CI is red.
I opened backport prs for 15, 14, 13.
12 will require manual invervention.
Fix https://github.com/OCA/server-auth/issues/617
res.company.ldap.operator operators should be private methods; public methods allow arbitrary LDAP queries via JSON-API