Version in base suite: 14.0.0+dfsg.2-7

Base version: odoo_14.0.0+dfsg.2-7
Target version: odoo_14.0.0+dfsg.2-7+deb11u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/o/odoo/odoo_14.0.0+dfsg.2-7.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/o/odoo/odoo_14.0.0+dfsg.2-7+deb11u1.dsc

 changelog                         |   26 ++++++++++++
 patches/0010_CVE-2021-44775.patch |   42 ++++++++++++++++++++
 patches/0020_CVE-2021-45111.patch |   35 +++++++++++++++++
 patches/0030_CVE-2021-45071.patch |   67 ++++++++++++++++++++++++++++++++
 patches/0040_CVE-2021-44476.patch |   78 ++++++++++++++++++++++++++++++++++++++
 patches/0050_CVE-2021-26947.patch |   46 ++++++++++++++++++++++
 patches/0060_CVE-2021-23186.patch |   12 +++++
 patches/0070_CVE-2021-23178.patch |   40 +++++++++++++++++++
 patches/0080_CVE-2021-23176.patch |   40 +++++++++++++++++++
 patches/0090_CVE-2021-23166.patch |   14 ++++++
 patches/0100_CVE-2021-26263.patch |   15 +++++++
 patches/0110_CVE-2021-23203.patch |   68 +++++++++++++++++++++++++++++++++
 patches/series                    |   11 +++++
 13 files changed, 494 insertions(+)

diff -Nru odoo-14.0.0+dfsg.2/debian/changelog odoo-14.0.0+dfsg.2/debian/changelog
--- odoo-14.0.0+dfsg.2/debian/changelog	2021-04-09 06:02:34.000000000 +0000
+++ odoo-14.0.0+dfsg.2/debian/changelog	2023-04-28 04:28:07.000000000 +0000
@@ -1,3 +1,29 @@
+odoo (14.0.0+dfsg.2-7+deb11u1) stable-security; urgency=high
+
+  * debian/patches: fix recent CVEs
+    CVE-2021-44775, CVE-2021-26947, CVE-2021-45071, CVE-2021-26263:
+      XSS allowing remote attacker to inject arbitrary commands.
+    CVE-2021-45111:
+      Incorrect access control allowing authenticated remote user to
+      create user accounts and access restricted data.
+    CVE-2021-44476, CVE-2021-23166:
+      Incorrect access control allowing authenticated remote administrator
+      to access local files on the server.
+    CVE-2021-23186:
+      Incorrect access control allowing authenticated remote administrator
+      to modify database contents of other tenants.
+    CVE-2021-23178:
+      Incorrect access control allowing authenticated remote user to
+      use another user's payment method.
+    CVE-2021-23176:
+      Incorrect access control allowing authenticated remote user to
+      access accounting information.
+    CVE-2021-23203:
+      Incorrect access control allowing authenticated remote user to
+      access arbitrary documents via PDF exports.
+  
+ -- Sebastien Delafond <seb@debian.org>  Fri, 28 Apr 2023 06:28:07 +0200
+
 odoo (14.0.0+dfsg.2-7) unstable; urgency=medium
 
   [ Sébastien Delafond ]
diff -Nru odoo-14.0.0+dfsg.2/debian/patches/0010_CVE-2021-44775.patch odoo-14.0.0+dfsg.2/debian/patches/0010_CVE-2021-44775.patch
--- odoo-14.0.0+dfsg.2/debian/patches/0010_CVE-2021-44775.patch	1970-01-01 00:00:00.000000000 +0000
+++ odoo-14.0.0+dfsg.2/debian/patches/0010_CVE-2021-44775.patch	2023-04-28 04:28:07.000000000 +0000
@@ -0,0 +1,42 @@
+diff --git a/addons/website/static/src/js/content/snippets.animation.js b/addons/website/static/src/js/content/snippets.animation.js
+index 2914a1c427c5d..8c93167f1c1c5 100644
+--- a/addons/website/static/src/js/content/snippets.animation.js
++++ b/addons/website/static/src/js/content/snippets.animation.js
+@@ -608,7 +608,10 @@ registry.mediaVideo = publicWidget.Widget.extend({
+ 
+         var def = this._super.apply(this, arguments);
+         if (this.$target.children('iframe').length) {
+-            // There already is an <iframe/>, do nothing
++            // There already is an <iframe/>, do nothing. This is the normal
++            // case. The whole code that follows is only there to ensure
++            // compatibility with videos added before bug fixes or new Odoo
++            // versions where the <iframe/> element is properly saved.
+             return def;
+         }
+ 
+@@ -626,11 +629,23 @@ registry.mediaVideo = publicWidget.Widget.extend({
+         // the src is saved in the 'data-src' attribute or the
+         // 'data-oe-expression' one (the latter is used as a workaround in 10.0
+         // system but should obviously be reviewed in master).
++        var src = _.escape(this.$target.data('oe-expression') || this.$target.data('src'));
++        // Validate the src to only accept supported domains we can trust
++        var m = src.match(/^(?:https?:)?\/\/([^/?#]+)/);
++        if (!m) {
++            // Unsupported protocol or wrong URL format, don't inject iframe
++            return def;
++        }
++        var domain = m[1].replace(/^www\./, '');
++        var supportedDomains = ['youtu.be', 'youtube.com', 'youtube-nocookie.com', 'instagram.com', 'vine.co', 'player.vimeo.com', 'vimeo.com', 'dailymotion.com', 'player.youku.com', 'youku.com'];
++        if (!_.contains(supportedDomains, domain)) {
++            // Unsupported domain, don't inject iframe
++            return def;
++        }
+         this.$target.append($('<iframe/>', {
+-            src: _.escape(this.$target.data('oe-expression') || this.$target.data('src')),
++            src: src,
+             frameborder: '0',
+             allowfullscreen: 'allowfullscreen',
+-            sandbox: 'allow-scripts allow-same-origin', // https://www.html5rocks.com/en/tutorials/security/sandboxed-iframes/
+         }));
+ 
+         return def;
diff -Nru odoo-14.0.0+dfsg.2/debian/patches/0020_CVE-2021-45111.patch odoo-14.0.0+dfsg.2/debian/patches/0020_CVE-2021-45111.patch
--- odoo-14.0.0+dfsg.2/debian/patches/0020_CVE-2021-45111.patch	1970-01-01 00:00:00.000000000 +0000
+++ odoo-14.0.0+dfsg.2/debian/patches/0020_CVE-2021-45111.patch	2023-04-28 04:28:07.000000000 +0000
@@ -0,0 +1,35 @@
+diff --git a/odoo/addons/base/models/ir_demo.py b/odoo/addons/base/models/ir_demo.py
+index 6c8775aee5e94..e7ee63874efd6 100644
+--- a/odoo/addons/base/models/ir_demo.py
++++ b/odoo/addons/base/models/ir_demo.py
+@@ -1,5 +1,9 @@
++# -*- coding: utf-8 -*-
++# Part of Odoo. See LICENSE file for full copyright and licensing details.
++
+ from odoo import models
+ from odoo.modules.loading import force_demo
++from odoo.addons.base.models.ir_module import assert_log_admin_access
+ 
+ 
+ class IrDemo(models.TransientModel):
+@@ -7,6 +11,7 @@ class IrDemo(models.TransientModel):
+     _name = 'ir.demo'
+     _description = 'Demo'
+ 
++    @assert_log_admin_access
+     def install_demo(self):
+         force_demo(self.env.cr)
+         return {
+diff --git a/odoo/addons/base/models/ir_module.py b/odoo/addons/base/models/ir_module.py
+index aac796b46303d..c385ade9d95ea 100644
+--- a/odoo/addons/base/models/ir_module.py
++++ b/odoo/addons/base/models/ir_module.py
+@@ -66,7 +66,7 @@ def assert_log_admin_access(method):
+     def check_and_log(method, self, *args, **kwargs):
+         user = self.env.user
+         origin = request.httprequest.remote_addr if request else 'n/a'
+-        log_data = (method.__name__, self.sudo().mapped('name'), user.login, user.id, origin)
++        log_data = (method.__name__, self.sudo().mapped('display_name'), user.login, user.id, origin)
+         if not self.env.is_admin():
+             _logger.warning('DENY access to module.%s on %s to user %s ID #%s via %s', *log_data)
+             raise AccessDenied()
diff -Nru odoo-14.0.0+dfsg.2/debian/patches/0030_CVE-2021-45071.patch odoo-14.0.0+dfsg.2/debian/patches/0030_CVE-2021-45071.patch
--- odoo-14.0.0+dfsg.2/debian/patches/0030_CVE-2021-45071.patch	1970-01-01 00:00:00.000000000 +0000
+++ odoo-14.0.0+dfsg.2/debian/patches/0030_CVE-2021-45071.patch	2023-04-28 04:28:07.000000000 +0000
@@ -0,0 +1,67 @@
+diff --git a/addons/web/static/src/js/fields/basic_fields.js b/addons/web/static/src/js/fields/basic_fields.js
+index d80bb9337fb11..112b5f75dfe31 100644
+--- a/addons/web/static/src/js/fields/basic_fields.js
++++ b/addons/web/static/src/js/fields/basic_fields.js
+@@ -2088,22 +2088,13 @@ var FieldBinaryFile = AbstractFieldBinary.extend({
+         this.filename_value = this.recordData[this.attrs.filename];
+     },
+     _renderReadonly: function () {
+-        this.do_toggle(!!this.value);
+-        if (this.value) {
+-            this.$el.empty().append($("<span/>").addClass('fa fa-download'));
+-            if (this.recordData.id) {
+-                this.$el.css('cursor', 'pointer');
+-            } else {
+-                this.$el.css('cursor', 'not-allowed');
+-            }
+-            if (this.filename_value) {
+-                this.$el.append(" " + this.filename_value);
+-            }
+-        }
+-        if (!this.res_id) {
+-            this.$el.css('cursor', 'not-allowed');
+-        } else {
+-            this.$el.css('cursor', 'pointer');
++        var visible = !!(this.value && this.res_id);
++        this.$el.empty().css('cursor', 'not-allowed');
++        this.do_toggle(visible);
++        if (visible) {
++            this.$el.css('cursor', 'pointer')
++                    .text(this.filename_value || '')
++                    .prepend($('<span class="fa fa-download"/>'), ' ');
+         }
+     },
+     _renderEdit: function () {
+diff --git a/addons/web/static/tests/fields/basic_fields_tests.js b/addons/web/static/tests/fields/basic_fields_tests.js
+index 4ccdd292b4a72..d478a5bcdb837 100644
+--- a/addons/web/static/tests/fields/basic_fields_tests.js
++++ b/addons/web/static/tests/fields/basic_fields_tests.js
+@@ -2441,7 +2441,7 @@ QUnit.module('basic_fields', {
+     });
+ 
+     QUnit.test('binary fields that are readonly in create mode do not download', async function (assert) {
+-        assert.expect(2);
++        assert.expect(4);
+ 
+         // save the session function
+         var oldGetFile = session.get_file;
+@@ -2473,10 +2473,17 @@ QUnit.module('basic_fields', {
+         await testUtils.fields.many2one.clickOpenDropdown('product_id');
+         await testUtils.fields.many2one.clickHighlightedItem('product_id');
+ 
+-        assert.containsOnce(form, 'a.o_field_widget[name="document"] > .fa-download',
++        assert.containsOnce(form, 'a.o_field_widget[name="document"]',
+             'The link to download the binary should be present');
++        assert.containsNone(form, 'a.o_field_widget[name="document"] > .fa-download',
++            'The download icon should not be present');
++
++        var link = form.$('a.o_field_widget[name="document"]');
++        assert.ok(link.is(':hidden'), "the link element should not be visible");
+ 
+-        testUtils.dom.click(form.$('a.o_field_widget[name="document"]'));
++        // force visibility to test that the clicking has also been disabled
++        link.removeClass('o_hidden');
++        testUtils.dom.click(link);
+ 
+         assert.verifySteps([]); // We shouldn't have passed through steps
+ 
diff -Nru odoo-14.0.0+dfsg.2/debian/patches/0040_CVE-2021-44476.patch odoo-14.0.0+dfsg.2/debian/patches/0040_CVE-2021-44476.patch
--- odoo-14.0.0+dfsg.2/debian/patches/0040_CVE-2021-44476.patch	1970-01-01 00:00:00.000000000 +0000
+++ odoo-14.0.0+dfsg.2/debian/patches/0040_CVE-2021-44476.patch	2023-04-28 04:28:07.000000000 +0000
@@ -0,0 +1,78 @@
+diff --git a/addons/http_routing/models/ir_http.py b/addons/http_routing/models/ir_http.py
+index 206d63f429e..29e18651f3b 100644
+--- a/addons/http_routing/models/ir_http.py
++++ b/addons/http_routing/models/ir_http.py
+@@ -16,7 +16,7 @@
+     slugify_lib = None
+ 
+ import odoo
+-from odoo import api, models, registry, exceptions, tools
++from odoo import api, models, registry, exceptions, tools, http
+ from odoo.addons.base.models.ir_http import RequestUID, ModelConverter
+ from odoo.addons.base.models.qweb import QWebException
+ from odoo.http import request
+@@ -657,8 +657,7 @@ def _handle_exception(cls, exception):
+     @tools.ormcache('path')
+     def url_rewrite(self, path):
+         new_url = False
+-        req = request.httprequest
+-        router = req.app.get_db_router(request.db).bind('')
++        router = http.root.get_db_router(request.db).bind('')
+         try:
+             _ = router.match(path, method='POST')
+         except werkzeug.exceptions.MethodNotAllowed as e:
+diff --git a/addons/web/controllers/main.py b/addons/web/controllers/main.py
+index 13f0124e3d9..91f5307b8cf 100644
+--- a/addons/web/controllers/main.py
++++ b/addons/web/controllers/main.py
+@@ -128,9 +128,8 @@ def redirect_with_hash(*args, **kw):
+     return http.redirect_with_hash(*args, **kw)
+ 
+ def abort_and_redirect(url):
+-    r = request.httprequest
+     response = werkzeug.utils.redirect(url, 302)
+-    response = r.app.get_response(r, response, explicit_session=False)
++    response = http.root.get_response(request.httprequest, response, explicit_session=False)
+     werkzeug.exceptions.abort(response)
+ 
+ def ensure_db(redirect='/web/database/selector'):
+@@ -1090,7 +1089,7 @@ def post(self, path):
+             from werkzeug.wrappers import BaseResponse
+             base_url = request.httprequest.base_url
+             query_string = request.httprequest.query_string
+-            client = Client(request.httprequest.app, BaseResponse)
++            client = Client(http.root, BaseResponse)
+             headers = {'X-Openerp-Session-Id': request.session.sid}
+             return client.post('/' + path, base_url=base_url, query_string=query_string,
+                                headers=headers, data=data)
+diff --git a/addons/website/models/website.py b/addons/website/models/website.py
+index 1b300b5199f..b487a9e7e5b 100644
+--- a/addons/website/models/website.py
++++ b/addons/website/models/website.py
+@@ -12,7 +12,7 @@
+ from werkzeug.datastructures import OrderedMultiDict
+ from werkzeug.exceptions import NotFound
+ 
+-from odoo import api, fields, models, tools
++from odoo import api, fields, models, tools, http
+ from odoo.addons.http_routing.models.ir_http import slugify, _guess_mimetype, url_for
+ from odoo.addons.website.models.ir_http import sitemap_qs2dom
+ from odoo.addons.portal.controllers.portal import pager
+@@ -790,7 +790,7 @@ def _enumerate_pages(self, query_string=None, force=False):
+             :rtype: list({name: str, url: str})
+         """
+ 
+-        router = request.httprequest.app.get_db_router(request.db)
++        router = http.root.get_db_router(request.db)
+         # Force enumeration to be performed as public user
+         url_set = set()
+ 
+@@ -965,7 +965,7 @@ def _get_canonical_url_localized(self, lang, canonical_params):
+         """
+         self.ensure_one()
+         if request.endpoint:
+-            router = request.httprequest.app.get_db_router(request.db).bind('')
++            router = http.root.get_db_router(request.db).bind('')
+             arguments = dict(request.endpoint_arguments)
+             for key, val in list(arguments.items()):
+                 if isinstance(val, models.BaseModel):
diff -Nru odoo-14.0.0+dfsg.2/debian/patches/0050_CVE-2021-26947.patch odoo-14.0.0+dfsg.2/debian/patches/0050_CVE-2021-26947.patch
--- odoo-14.0.0+dfsg.2/debian/patches/0050_CVE-2021-26947.patch	1970-01-01 00:00:00.000000000 +0000
+++ odoo-14.0.0+dfsg.2/debian/patches/0050_CVE-2021-26947.patch	2023-04-28 04:28:07.000000000 +0000
@@ -0,0 +1,46 @@
+diff --git a/addons/auth_signup/controllers/main.py b/addons/auth_signup/controllers/main.py
+index d4eb9ec7ec451..6ef57c2f77733 100644
+--- a/addons/auth_signup/controllers/main.py
++++ b/addons/auth_signup/controllers/main.py
+@@ -5,7 +5,7 @@
+ 
+ from odoo import http, _
+ from odoo.addons.auth_signup.models.res_users import SignupError
+-from odoo.addons.web.controllers.main import ensure_db, Home
++from odoo.addons.web.controllers.main import ensure_db, Home, SIGN_UP_REQUEST_PARAMS
+ from odoo.addons.base_setup.controllers.main import BaseSetup
+ from odoo.exceptions import UserError
+ from odoo.http import request
+@@ -101,7 +101,7 @@ def get_auth_signup_config(self):
+ 
+     def get_auth_signup_qcontext(self):
+         """ Shared helper returning the rendering context for signup and reset password """
+-        qcontext = request.params.copy()
++        qcontext = {k: v for (k, v) in request.params.items() if k in SIGN_UP_REQUEST_PARAMS}
+         qcontext.update(self.get_auth_signup_config())
+         if not qcontext.get('token') and request.session.get('auth_signup_token'):
+             qcontext['token'] = request.session.get('auth_signup_token')
+diff --git a/addons/web/controllers/main.py b/addons/web/controllers/main.py
+index c835d8d5e2aad..1f75df6045e11 100644
+--- a/addons/web/controllers/main.py
++++ b/addons/web/controllers/main.py
+@@ -646,6 +646,10 @@ def get_qweb_templates_checksum(cls, addons, db=None, debug=False):
+     def get_qweb_templates(cls, addons, db=None, debug=False):
+         return cls(addons, db, debug=debug)._get_qweb_templates()[0]
+ 
++# Shared parameters for all login/signup flows
++SIGN_UP_REQUEST_PARAMS = {'db', 'login', 'debug', 'token', 'message', 'error', 'scope', 'mode',
++                          'redirect', 'redirect_hostname', 'email', 'name', 'partner_id',
++                          'password', 'confirm_password', 'city', 'country_id', 'lang'}
+ 
+ class GroupsTreeNode:
+     """
+@@ -933,7 +937,7 @@ def web_login(self, redirect=None, **kw):
+         if not request.uid:
+             request.uid = odoo.SUPERUSER_ID
+ 
+-        values = request.params.copy()
++        values = {k: v for k, v in request.params.items() if k in SIGN_UP_REQUEST_PARAMS}
+         try:
+             values['databases'] = http.db_list()
+         except odoo.exceptions.AccessDenied:
diff -Nru odoo-14.0.0+dfsg.2/debian/patches/0060_CVE-2021-23186.patch odoo-14.0.0+dfsg.2/debian/patches/0060_CVE-2021-23186.patch
--- odoo-14.0.0+dfsg.2/debian/patches/0060_CVE-2021-23186.patch	1970-01-01 00:00:00.000000000 +0000
+++ odoo-14.0.0+dfsg.2/debian/patches/0060_CVE-2021-23186.patch	2023-04-28 04:28:07.000000000 +0000
@@ -0,0 +1,12 @@
+diff --git a/odoo/modules/registry.py b/odoo/modules/registry.py
+index 0705dcb6151a2..d17caac091dce 100644
+--- a/odoo/modules/registry.py
++++ b/odoo/modules/registry.py
+@@ -103,6 +103,7 @@ def new(cls, db_name, force_demo=False, status=None, update_module=False):
+             registry._init = False
+             registry.ready = True
+             registry.registry_invalidated = bool(update_module)
++            registry.new = registry.init = registry.registries = None
+ 
+         return registry
+ 
diff -Nru odoo-14.0.0+dfsg.2/debian/patches/0070_CVE-2021-23178.patch odoo-14.0.0+dfsg.2/debian/patches/0070_CVE-2021-23178.patch
--- odoo-14.0.0+dfsg.2/debian/patches/0070_CVE-2021-23178.patch	1970-01-01 00:00:00.000000000 +0000
+++ odoo-14.0.0+dfsg.2/debian/patches/0070_CVE-2021-23178.patch	2023-04-28 04:28:07.000000000 +0000
@@ -0,0 +1,40 @@
+diff --git a/addons/payment/models/account_invoice.py b/addons/payment/models/account_invoice.py
+index 89fdcfd4ce56f..b65fb1b6e3107 100644
+--- a/addons/payment/models/account_invoice.py
++++ b/addons/payment/models/account_invoice.py
+@@ -52,12 +52,12 @@ def _create_payment_transaction(self, vals):
+                 if payment_token and payment_token.acquirer_id != acquirer:
+                     raise ValidationError(_('Invalid token found! Token acquirer %s != %s') % (
+                     payment_token.acquirer_id.name, acquirer.name))
+-                if payment_token and payment_token.partner_id != partner:
+-                    raise ValidationError(_('Invalid token found! Token partner %s != %s') % (
+-                    payment_token.partner.name, partner.name))
+             else:
+                 acquirer = payment_token.acquirer_id
+ 
++            if payment_token and payment_token.partner_id != partner:
++                raise ValidationError(_('Invalid token found!'))
++
+         # Check an acquirer is there.
+         if not acquirer_id and not acquirer:
+             raise ValidationError(_('A payment acquirer is required to create a transaction.'))
+diff --git a/addons/sale/models/sale.py b/addons/sale/models/sale.py
+index e2c9512a8738a..2f745eb0191c5 100644
+--- a/addons/sale/models/sale.py
++++ b/addons/sale/models/sale.py
+@@ -1047,12 +1047,12 @@ def _create_payment_transaction(self, vals):
+                 if payment_token and payment_token.acquirer_id != acquirer:
+                     raise ValidationError(_('Invalid token found! Token acquirer %s != %s') % (
+                     payment_token.acquirer_id.name, acquirer.name))
+-                if payment_token and payment_token.partner_id != partner:
+-                    raise ValidationError(_('Invalid token found! Token partner %s != %s') % (
+-                    payment_token.partner.name, partner.name))
+             else:
+                 acquirer = payment_token.acquirer_id
+ 
++            if payment_token and payment_token.partner_id != partner:
++                raise ValidationError(_('Invalid token found!'))
++
+         # Check an acquirer is there.
+         if not acquirer_id and not acquirer:
+             raise ValidationError(_('A payment acquirer is required to create a transaction.'))
diff -Nru odoo-14.0.0+dfsg.2/debian/patches/0080_CVE-2021-23176.patch odoo-14.0.0+dfsg.2/debian/patches/0080_CVE-2021-23176.patch
--- odoo-14.0.0+dfsg.2/debian/patches/0080_CVE-2021-23176.patch	1970-01-01 00:00:00.000000000 +0000
+++ odoo-14.0.0+dfsg.2/debian/patches/0080_CVE-2021-23176.patch	2023-04-28 04:28:07.000000000 +0000
@@ -0,0 +1,40 @@
+diff --git a/addons/l10n_fr_fec/wizard/account_fr_fec.py b/addons/l10n_fr_fec/wizard/account_fr_fec.py
+index d80c07d57ec..847b1427387 100644
+--- a/addons/l10n_fr_fec/wizard/account_fr_fec.py
++++ b/addons/l10n_fr_fec/wizard/account_fr_fec.py
+@@ -7,7 +7,7 @@
+ import io
+ 
+ from odoo import api, fields, models, _
+-from odoo.exceptions import UserError
++from odoo.exceptions import UserError, AccessDenied
+ from odoo.tools import float_is_zero, pycompat
+ 
+ 
+@@ -30,7 +30,7 @@ def _onchange_export_file(self):
+         if not self.test_file:
+             self.export_type = 'official'
+ 
+-    def do_query_unaffected_earnings(self):
++    def _do_query_unaffected_earnings(self):
+         ''' Compute the sum of ending balances for all accounts that are of a type that does not bring forward the balance in new fiscal years.
+             This is needed because we have to display only one line for the initial balance of all expense/revenue accounts in the FEC.
+         '''
+@@ -103,6 +103,8 @@ def _get_company_legal_data(self, company):
+ 
+     def generate_fec(self):
+         self.ensure_one()
++        if not (self.env.is_admin() or self.env.user.has_group('account.group_account_user')):
++            raise AccessDenied()
+         # We choose to implement the flat file instead of the XML
+         # file for 2 reasons :
+         # 1) the XSD file impose to have the label on the account.move
+@@ -147,7 +149,7 @@ def generate_fec(self):
+         unaffected_earnings_line = True  # used to make sure that we add the unaffected earning initial balance only once
+         if unaffected_earnings_xml_ref:
+             #compute the benefit/loss of last year to add in the initial balance of the current year earnings account
+-            unaffected_earnings_results = self.do_query_unaffected_earnings()
++            unaffected_earnings_results = self._do_query_unaffected_earnings()
+             unaffected_earnings_line = False
+ 
+         sql_query = '''
diff -Nru odoo-14.0.0+dfsg.2/debian/patches/0090_CVE-2021-23166.patch odoo-14.0.0+dfsg.2/debian/patches/0090_CVE-2021-23166.patch
--- odoo-14.0.0+dfsg.2/debian/patches/0090_CVE-2021-23166.patch	1970-01-01 00:00:00.000000000 +0000
+++ odoo-14.0.0+dfsg.2/debian/patches/0090_CVE-2021-23166.patch	2023-04-28 04:28:07.000000000 +0000
@@ -0,0 +1,14 @@
+diff --git a/odoo/sql_db.py b/odoo/sql_db.py
+index c5af069728ee6..f2335c2f29bf5 100644
+--- a/odoo/sql_db.py
++++ b/odoo/sql_db.py
+@@ -538,7 +538,8 @@ def __getattr__(self, name):
+ 
+ 
+ class PsycoConnection(psycopg2.extensions.connection):
+-    pass
++    def lobject(*args, **kwargs):
++        pass
+ 
+ class ConnectionPool(object):
+     """ The pool of connections to database(s)
diff -Nru odoo-14.0.0+dfsg.2/debian/patches/0100_CVE-2021-26263.patch odoo-14.0.0+dfsg.2/debian/patches/0100_CVE-2021-26263.patch
--- odoo-14.0.0+dfsg.2/debian/patches/0100_CVE-2021-26263.patch	1970-01-01 00:00:00.000000000 +0000
+++ odoo-14.0.0+dfsg.2/debian/patches/0100_CVE-2021-26263.patch	2023-04-28 04:28:07.000000000 +0000
@@ -0,0 +1,15 @@
+diff --git a/addons/mail/static/src/models/messaging_notification_handler/messaging_notification_handler.js b/addons/mail/static/src/models/messaging_notification_handler/messaging_notification_handler.js
+index eb3c79fa88f..db22b04afb2 100644
+--- a/addons/mail/static/src/models/messaging_notification_handler/messaging_notification_handler.js
++++ b/addons/mail/static/src/models/messaging_notification_handler/messaging_notification_handler.js
+@@ -760,7 +760,9 @@ function factory(dependencies) {
+                     notificationTitle = owl.utils.escape(authorName);
+                 }
+             }
+-            const notificationContent = htmlToTextContentInline(message.body).substr(0, PREVIEW_MSG_MAX_SIZE);
++            const notificationContent = owl.utils.escape(
++                htmlToTextContentInline(message.body).substr(0, PREVIEW_MSG_MAX_SIZE)
++            );
+             this.env.services['bus_service'].sendNotification(notificationTitle, notificationContent);
+             messaging.update({ outOfFocusUnreadMessageCounter: messaging.outOfFocusUnreadMessageCounter + 1 });
+             const titlePattern = messaging.outOfFocusUnreadMessageCounter === 1
diff -Nru odoo-14.0.0+dfsg.2/debian/patches/0110_CVE-2021-23203.patch odoo-14.0.0+dfsg.2/debian/patches/0110_CVE-2021-23203.patch
--- odoo-14.0.0+dfsg.2/debian/patches/0110_CVE-2021-23203.patch	1970-01-01 00:00:00.000000000 +0000
+++ odoo-14.0.0+dfsg.2/debian/patches/0110_CVE-2021-23203.patch	2023-04-28 04:28:07.000000000 +0000
@@ -0,0 +1,68 @@
+diff --git a/odoo/addons/base/models/ir_actions_report.py b/odoo/addons/base/models/ir_actions_report.py
+index c4b79741b6ffe..091b9f6d564b9 100644
+--- a/odoo/addons/base/models/ir_actions_report.py
++++ b/odoo/addons/base/models/ir_actions_report.py
+@@ -730,13 +730,13 @@ def _render_qweb_pdf(self, res_ids=None, data=None):
+             data = {}
+         data.setdefault('report_type', 'pdf')
+ 
+-        # access the report details with sudo() but evaluation context as current user
++        # access the report details with sudo() but evaluation context as sudo(False)
+         self_sudo = self.sudo()
+ 
+         # In case of test environment without enough workers to perform calls to wkhtmltopdf,
+         # fallback to render_html.
+         if (tools.config['test_enable'] or tools.config['test_file']) and not self.env.context.get('force_report_rendering'):
+-            return self._render_qweb_html(res_ids, data=data)
++            return self_sudo._render_qweb_html(res_ids, data=data)
+ 
+         # As the assets are generated during the same transaction as the rendering of the
+         # templates calling them, there is a scenario where the assets are unreachable: when
+@@ -833,7 +833,7 @@ def _render_qweb_text(self, docids, data=None):
+             data = {}
+         data.setdefault('report_type', 'text')
+         data = self._get_rendering_context(docids, data)
+-        return self._render_template(self.sudo().report_name, data), 'text'
++        return self._render_template(self.report_name, data), 'text'
+ 
+     @api.model
+     def _render_qweb_html(self, docids, data=None):
+@@ -843,31 +843,31 @@ def _render_qweb_html(self, docids, data=None):
+             data = {}
+         data.setdefault('report_type', 'html')
+         data = self._get_rendering_context(docids, data)
+-        return self._render_template(self.sudo().report_name, data), 'html'
++        return self._render_template(self.report_name, data), 'html'
+ 
+     @api.model
+     def _get_rendering_context_model(self):
+         report_model_name = 'report.%s' % self.report_name
+         return self.env.get(report_model_name)
+ 
+     @api.model
+     def _get_rendering_context(self, docids, data):
+-        # access the report details with sudo() but evaluation context as current user
+-        self_sudo = self.sudo()
+-
+         # If the report is using a custom model to render its html, we must use it.
+         # Otherwise, fallback on the generic html rendering.
+-        report_model = self_sudo._get_rendering_context_model()
++        report_model = self._get_rendering_context_model()
+ 
+         data = data and dict(data) or {}
+ 
+         if report_model is not None:
++            # _render_ may be executed in sudo but evaluation context as real user
++            report_model = report_model.sudo(False)
+             data.update(report_model._get_report_values(docids, data=data))
+         else:
+-            docs = self.env[self_sudo.model].browse(docids)
++            # _render_ may be executed in sudo but evaluation context as real user
++            docs = self.env[self.model].sudo(False).browse(docids)
+             data.update({
+                 'doc_ids': docids,
+-                'doc_model': self_sudo.model,
++                'doc_model': self.model,
+                 'docs': docs,
+             })
+         return data
diff -Nru odoo-14.0.0+dfsg.2/debian/patches/series odoo-14.0.0+dfsg.2/debian/patches/series
--- odoo-14.0.0+dfsg.2/debian/patches/series	1970-01-01 00:00:00.000000000 +0000
+++ odoo-14.0.0+dfsg.2/debian/patches/series	2023-04-28 04:28:07.000000000 +0000
@@ -0,0 +1,11 @@
+0010_CVE-2021-44775.patch
+0020_CVE-2021-45111.patch
+0030_CVE-2021-45071.patch
+0040_CVE-2021-44476.patch
+0050_CVE-2021-26947.patch
+0060_CVE-2021-23186.patch
+0070_CVE-2021-23178.patch
+0080_CVE-2021-23176.patch
+0090_CVE-2021-23166.patch
+0100_CVE-2021-26263.patch
+0110_CVE-2021-23203.patch