Security Release for issue7792


A vulnerability in tryton has been found by Cédric Krier.

With issue7792 the client tries to make the connection to the bus in plain text instead of encrypted. The connection tentative fails, but it contains in the header the current session of the user. This session could then be stolen by a man-in-the-middle.


CVSS v3.0 Base Score: 4.2

  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality: Low
  • Integrity: Low
  • Availability: None


There are no known workarounds.


All affected users should upgrade tryton to the latest version.
It is recommended that users change their password to clear all existing sessions (the password itself has not been compromised).
Only series 5.0 has the component subject to the issue.
Affected versions per series: =5.0.0
Non affected versions per series: >=5.0.1



Any security concerns should be reported on the bug-tracker at with the type security.

CVE-2018-19443 was assigned directly from MITRE by request from Debian for