Your message dated Fri, 23 Jan 2009 14:47:16 +0000
with message-id <e1lqnju-0002rg...@ries.debian.org>
and subject line Bug#512608: fixed in typo3-src 4.2.4-1
has caused the Debian Bug report #512608,
regarding [SA33617] Typo3 Multiple Vulnerabilities
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
512608: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=512608
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: typo3-src
Severity: grave
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
The following SA (Secunia Advisory) id was published for Typo3:
SA33617[1]
> DESCRIPTION:
> Some vulnerabilities have been reported in Typo3, which can be
> exploited by malicious people to bypass certain security
> restrictions, conduct cross-site scripting and session fixation
> attacks, and compromise a vulnerable system.
>
> 1) The "Install tool" system extension uses insufficiently random
> entropy sources to generate an encryption key, resulting in weak
> security.
>
> 2) The authentication library does not properly invalidate supplied
> session tokens, which can be exploited to hijack a user's session.
>
> 3) Certain unspecified input passed to the "Indexed Search Engine"
> system extension is not properly sanitised before being used to
> invoke commands. This can be exploited to inject and execute
> arbitrary shell commands.
>
> 4) Input passed via the name and content of files to the "Indexed
> Search Engine" system extension is not properly sanitised before
> being returned to the user. This can be exploited to execute
> arbitrary HTML and script code in a user's browser session in context
> of an affected site.
>
> 5) Certain unspecified input passed to the Workspace module is not
> properly sanitised before being returned to the user. This can be
> exploited to execute arbitrary HTML and script code in a user's
> browser session in context of an affected site.
>
> Note: It is also reported that certain unspecified input passed to
> test scripts of the "ADOdb" system extension is not properly
> sanitised before being returned to the user. This can be exploited to
> execute arbitrary HTML and script code in a user's browser session in
> context of an affected website.
>
> SOLUTION:
> Update to Typo3 version 4.0.10, 4.1.8, or 4.2.4.
>
> Generate a new encryption key (see vendor's advisory for more
> information).
>
> PROVIDED AND/OR DISCOVERED BY:
> The vendor credits:
> 1) Chris John Riley of Raiffeisen Informatik, CERT Security
> Competence Center Zwettl
> 2) Marcus Krause
> 3, 4) Mads Olesen
> 5) Daniel Fabian, SEC Consult
>
> ORIGINAL ADVISORY:
> TYPO3-SA-2009-001:
> http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-001/
If you fix the vulnerability please also make sure to include the CVE id
(if available) in the changelog entry.
[1]http://secunia.com/advisories/33617/
Cheers,
Giuseppe
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkl4IpcACgkQNxpp46476ar0ngCfSRgis+Em7SqxFn/3biLtqRVt
/noAn0W0Y1T7EDOytyIfw4l63Ix+3yEE
=PAgw
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Source: typo3-src
Source-Version: 4.2.4-1
We believe that the bug you reported is fixed in the latest version of
typo3-src, which is due to be installed in the Debian FTP archive:
typo3-src-4.2_4.2.4-1_all.deb
to pool/main/t/typo3-src/typo3-src-4.2_4.2.4-1_all.deb
typo3-src_4.2.4-1.diff.gz
to pool/main/t/typo3-src/typo3-src_4.2.4-1.diff.gz
typo3-src_4.2.4-1.dsc
to pool/main/t/typo3-src/typo3-src_4.2.4-1.dsc
typo3-src_4.2.4.orig.tar.gz
to pool/main/t/typo3-src/typo3-src_4.2.4.orig.tar.gz
typo3_4.2.4-1_all.deb
to pool/main/t/typo3-src/typo3_4.2.4-1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 512...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christian Welzel <gaw...@camlann.de> (supplier of updated typo3-src package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 22 Jan 2009 12:00:00 +0100
Source: typo3-src
Binary: typo3 typo3-src-4.2
Architecture: source all
Version: 4.2.4-1
Distribution: unstable
Urgency: high
Maintainer: Christian Welzel <gaw...@camlann.de>
Changed-By: Christian Welzel <gaw...@camlann.de>
Description:
typo3 - Powerful content management framework (Meta package)
typo3-src-4.2 - Powerful content management framework (Core)
Closes: 512608
Changes:
typo3-src (4.2.4-1) unstable; urgency=high
.
* New upstream release.
- fixes TYPO3 Security Bulletin TYPO3-SA-2009-001: Multiple vulnerabilities
in TYPO3 Core (Closes: 512608)
* Updated package description.
* Updated copyright file to list the license of two icons.
Checksums-Sha1:
d79ec3d523491553bf509b280b18e62047b588fd 980 typo3-src_4.2.4-1.dsc
6165fd8b0e22a0a5ea9658cf1917c9f9999c485e 8143390 typo3-src_4.2.4.orig.tar.gz
5e8acc2656caf9423cbaf989a5dd6fb0feda54ce 108502 typo3-src_4.2.4-1.diff.gz
500b5a17ab52739ced9315e541e6b6d073180e75 133372 typo3_4.2.4-1_all.deb
e94a21f948f7b78a4806a192479a291f306b0e28 8195376 typo3-src-4.2_4.2.4-1_all.deb
Checksums-Sha256:
d26d44b81eab53bc16b9899e6b65f3ee09912535ebe99aed68a441695f794c81 980
typo3-src_4.2.4-1.dsc
a6551239ea33bc5fa351964fc5d4114a1bdd8286061c22aac3f1021c8d74b32a 8143390
typo3-src_4.2.4.orig.tar.gz
d8895e06f8e5c828f04bb3e763cf9f02512ca2daf0fb2b7a0ba55700305366b0 108502
typo3-src_4.2.4-1.diff.gz
edc8c35256bfbe3971847164e7c8f46b445e97a92551b1d7961dd29ec6ee5eb5 133372
typo3_4.2.4-1_all.deb
7de8750033e65f32a427ebb423efc88dcc959a95d3b14a13068c50d84ec6b760 8195376
typo3-src-4.2_4.2.4-1_all.deb
Files:
0703c94488fea193f92cf93a9ca139c6 980 web optional typo3-src_4.2.4-1.dsc
82ce83b665e3b19a823442549c138ddf 8143390 web optional
typo3-src_4.2.4.orig.tar.gz
89664d0b9cc0bec0146134e8a6748a77 108502 web optional typo3-src_4.2.4-1.diff.gz
3a6a3dc2f9bfdd78f3bc076ab37add8b 133372 web optional typo3_4.2.4-1_all.deb
b7e59f88a962c3671ff086634afd52e5 8195376 web optional
typo3-src-4.2_4.2.4-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFJec4oUHLQNqxYNSARAt7dAKDBZCQU39IdnQmuOXHtogPwIfFUDQCgqL81
r4tTTuLj/DsybzqiiZjrX9w=
=hDtz
-----END PGP SIGNATURE-----
--- End Message ---
