[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Health-security] Tryton server versions involved in vulnerability GNUHE
From: |
Luis Falcon |
Subject: |
[Health-security] Tryton server versions involved in vulnerability GNUHEALTH-SA-2016-1.tryton |
Date: |
Sun, 27 Mar 2016 13:09:42 +0100 |
Dear all
Just an update on vulnerability GNUHEALTH-SA-2016-1.tryton. This
revision lists all the Tryton servers (trytond) affected by this
vulnerability.
You can check the latest revision in
https://ftp.gnu.org/gnu/health/security/security_advisories.html
Bests,
===============================================================================
GNUHEALTH-SA-2016-1.tryton Security
Advisory GNU Health project
Topic: Tryton get_login remote denial of service vulnerability
Affects: GNU Health 3.0, 2.8, 2.6, 2.4, 2.2, 2.0
Component: Trytond 3.8, 3.6, 3.4, 3.2, 3.0, 2.8
Released: 2016-03-22
Credits: Luis Falcon
You can get the latest status of this and other advisories at
https://ftp.gnu.org/gnu/health/security/security_advisories.html
I. Background
Tryton is an application framework used by GNU Health. Tryton uses a
database table to log the failed login attempts. The number of failed
attempts is used to increase the timeout on the next login session.
II. Problem Description
Each login attempt involves unprivileged database operations (read,
create or delete). Both existing and non-existing accounts attempts are
stored in the database. Moreover, the non-existing users are not
removed from the table.
III. Impact
An attacker can flood the database engine with random, non-existing
accounts login attempts, leading to resource exhaustion / denial of
service.
IV. Workaround
No workaround is available
V. Solution
Install the patch either using gnuhealth-control or applying it directly
a) Update via gnuhealth-control ( gnuhealth-control version 3.0.3 or
later )
Login as gnuhealth user
$ su - gnuhealth
Stop the GNU Health server
Make sure you have gnuhealth-control version 3.0.3 or later.
$ gnuhealth-control version
Check the status of your current version
$ gnuhealth-control update --dry-run
Apply the updates
$ gnuhealth-control update
Reload the GNU Health environment
$ source $HOME/.gnuhealthrc
Restart the server
b) Apply the patch directly ( GNU Health < 3.0 or if there were
problems using gnuhealth-control)
Login as gnuhealth user
$ su - gnuhealth
Stop the GNU Health server
Download the patch
$ wget
https://ftp.gnu.org/gnu/health/security/GNUHEALTH-SA-2016-1.tryton.patch.asc
$ cd
$HOME/gnuhealth/tryton/server/trytond-${TRYTON_VERSION}/trytond/res
Check that the patch status or elegibility
$ patch --dry-run -N -p1 <
$HOME/GNUHEALTH-SA-2016-1.tryton.patch.asc
If everything went well, apply the patch
$ patch -p1 < $HOME/GNUHEALTH-SA-2016-1.tryton.patch.asc
Restart the server
########################################################################
--
Dr. Luis Falcon, M.D., BSc
President, GNU Solidario
GNU Health: Freedom and Equity in Healthcare
http://health.gnu.org
pgpP5k6hCkX5q.pgp
Description: OpenPGP digital signature
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Health-security] Tryton server versions involved in vulnerability GNUHEALTH-SA-2016-1.tryton,
Luis Falcon <=