[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Health] Security warning for Tryton-sao
|
From: |
Luis Falcon |
|
Subject: |
Re: [Health] Security warning for Tryton-sao |
|
Date: |
Fri, 9 Mar 2018 16:36:11 +0000 |
Hi Axel !
On Thu, 08 Mar 2018 22:44:58 +0100
Axel Braun <address@hidden> wrote:
> Dear all,
>
> please be aware that there is a security issue with Tryton Sao, the
> web client of the Tryton ERP platform.
>
> Sao is based on jQuery 2.x, which is not maintained anymore [1].
>
> The developers of jQuery state:
> <quote>
> jQuery 2.x is no longer maintained and contains vulnerabilities that
> could lead to security issues in add-ons
> </quote>
>
> The issue that sao is based on in between unmaintained and unsecure
> software components was discussed, but is unsolved up to now [2] .
>
> As all versions of sao including Tryton 4.6 are affected, there is
> currently no migration or upgrade path.
>
> I have disabled the build for sao packages on openSUSE until further
> notice.
>
Thank for the info ! As I have mentioned several times, SAO is not
officially supported by GNU Health, so we are OK. We review
the changes periodically, and we'll evaluate next SAO editions whether
they can be eligible for production use in GNU Health.
On the topic, GNU Health has a security related mailing list, which I
recommend anyone interested in the matter to join.
Best
Luis