-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===============================================================================
GNUHEALTH-SA-2016-1.tryton                                 Security Advisory
                                                           GNU Health project

Topic:          Tryton get_login remote denial of service vulnerability

Affects:        GNU Health 3.0, 2.8, 2.6, 2.4, 2.2, 2.0 
Component: 	Trytond 3.8, 3.6, 3.4, 3.2, 3.0, 2.8
Released:       2016-03-22
Credits:        Luis Falcon

You can get the latest status of this and other advisories at
https://ftp.gnu.org/gnu/health/security/security_advisories.html


I.   Background

Tryton is an application framework used by GNU Health. Tryton uses a 
database table to log the failed login attempts. The number of failed 
attempts is used to increase the timeout on the next login session.


II.  Problem Description

Each login attempt involves unprivileged database operations (read, create or 
delete). Both existing and non-existing accounts attempts are stored in 
the database. Moreover, the non-existing users are not removed from the
table.

III. Impact

An attacker can flood the database engine with random, non-existing 
accounts login attempts, leading to resource exhaustion / denial of service.

IV.  Workaround

No workaround is available

V.   Solution

Install the patch either using gnuhealth-control or applying it directly

a)  Update via gnuhealth-control ( gnuhealth-control version 3.0.3 or later ) 

    Login as gnuhealth user
    
    $ su - gnuhealth

    Stop the GNU Health server
    
    Make sure you have gnuhealth-control version 3.0.3 or later.

    $ gnuhealth-control version
    
    Check the status of your current version

    $ gnuhealth-control update --dry-run 

    Apply the updates
    
    $ gnuhealth-control update
    
    Reload the GNU Health environment
    
    $ source $HOME/.gnuhealthrc

    Restart the server
    

b)  Apply the patch directly ( GNU Health < 3.0 or if there were 
    problems using gnuhealth-control)

    Login as gnuhealth user

    $ su - gnuhealth 
    
    Stop the GNU Health server
    
    Download the patch
    
    $ wget https://ftp.gnu.org/gnu/health/security/GNUHEALTH-SA-2016-1.tryton.patch.asc
    
    $ cd $HOME/gnuhealth/tryton/server/trytond-${TRYTON_VERSION}/trytond/res
    
    Check that the patch status or elegibility

    $ patch --dry-run -N -p1 < $HOME/GNUHEALTH-SA-2016-1.tryton.patch.asc
    
    If everything went well, apply the patch
    
    $ patch -p1 < $HOME/GNUHEALTH-SA-2016-1.tryton.patch.asc
    
    Restart the server

########################################################################




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iEYEARECAAYFAlb3wP4ACgkQ6toB4+RLgBGRvwCePZhp1XW5n/LgXsdvGfzQI9wY
hBIAnRJccf66li2cRiyUSdmarH1UuVVz
=cKwp
-----END PGP SIGNATURE-----