The Debian Long Term Support (LTS) team has issued a security advisory (DLA-4022-1) addressing a severe vulnerability in Tryton-Server, a component of the Tryton Enterprise Resource Planning (ERP) system.
Debian Support provides security updates for select older Debian releases, ensuring stability and protection for users and businesses relying on these versions.
The flaw, discovered by Cédric Krier, relates to the server’s handling of compressed content from unauthenticated requests, making it vulnerable to zip bomb attacks.
.png
)
A zip bomb is a maliciously crafted compressed file that consumes excessive system resources, such as disk space or memory, when decompressed. Though compressed to a small size, its extraction can overwhelm and crash servers or applications.
The Tryton-Server package may inadvertently process maliciously crafted compressed files, such as zip bombs, which could lead to potential server crashes or resource exhaustion. The issue has not yet been assigned a CVE ID.
“Cédric Krier has found that trytond, the Tryton application server, accepts compressed content from unauthenticated requests which makes it vulnerable to zip bomb attacks.” Daniel Leidert said.
Fixes Released
To resolve this issue, updates have been rolled out for both the tryton-server and tryton-client packages to ensure compatibility and prevent regressions.
- Tryton-Server Fixed Version: 5.0.33-2+deb11u3
- Tryton-Client Fixed Version: 5.0.33-1+deb11u1
System administrators running Debian 11 (Bullseye) are strongly encouraged to immediately upgrade their Tryton-Server and Tryton-Client packages to the patched versions. The updates mitigate the vulnerability, securing the application against potential exploitation.
To check the detailed status of Tryton-Server and its vulnerabilities, visit the Debian Security Tracker.
Detailed guidance on applying security updates in Debian systems and answers to frequently asked questions can be found at the Debian LTS Wiki.
This update is critical for those running Tryton-Server on Debian 11 to maintain system integrity and security. Stay vigilant and ensure your systems are up to date.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
