Your message dated Tue, 10 Feb 2009 15:32:10 +0000
with message-id <e1lwuao-0003fm...@ries.debian.org>
and subject line Bug#514713: fixed in typo3-src 4.2.5-1+lenny1
has caused the Debian Bug report #514713,
regarding Information disclosure and XSS vulnerabilities in TYPO3
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
514713: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=514713
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: typo3-src
Version: 4.0.2+debian-7
Severity: critical
Tags: security
TYPO3 Security Bulletin TYPO3-SA-2009-002:
Information Disclosure & XSS in TYPO3 Core
Problem Description 1: An Information Disclosure vulnerability in jumpUrl
mechanism, used to track access on web pages and provided files, allows a
remote attacker to read arbitrary files on a host.
The expected value of a mandatory hash secret, intended to invalidate such
requests, is exposed to remote users allowing them to bypass access control by
providing the correct value.
There's no authentication required to exploit this vulnerability. The
vulnerability allows to read any file, the web server user account has access
to.
Problem Description 2: Failing to sanitize user input, three fields in the
backend is open to Cross-Site Scripting (XSS).
--
MfG, Christian Welzel
GPG-Key: http://www.camlann.de/key.asc
Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15
--- End Message ---
--- Begin Message ---
Source: typo3-src
Source-Version: 4.2.5-1+lenny1
We believe that the bug you reported is fixed in the latest version of
typo3-src, which is due to be installed in the Debian FTP archive:
typo3-src-4.2_4.2.5-1+lenny1_all.deb
to pool/main/t/typo3-src/typo3-src-4.2_4.2.5-1+lenny1_all.deb
typo3-src_4.2.5-1+lenny1.diff.gz
to pool/main/t/typo3-src/typo3-src_4.2.5-1+lenny1.diff.gz
typo3-src_4.2.5-1+lenny1.dsc
to pool/main/t/typo3-src/typo3-src_4.2.5-1+lenny1.dsc
typo3_4.2.5-1+lenny1_all.deb
to pool/main/t/typo3-src/typo3_4.2.5-1+lenny1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 514...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christian Welzel <gaw...@camlann.de> (supplier of updated typo3-src package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 10 Feb 2009 15:00:00 +0100
Source: typo3-src
Binary: typo3 typo3-src-4.2
Architecture: source all
Version: 4.2.5-1+lenny1
Distribution: testing-security
Urgency: high
Maintainer: Christian Welzel <gaw...@camlann.de>
Changed-By: Christian Welzel <gaw...@camlann.de>
Description:
typo3 - Powerful content management framework (Meta package)
typo3-src-4.2 - Powerful content management framework (Core)
Closes: 514713
Changes:
typo3-src (4.2.5-1+lenny1) testing-security; urgency=high
.
* Added patches (backported from 4.2.6) to fix a critical information
disclosure vulnerability in TYPO3 core and a XSS issue in TYPO3
backend module (Closes: 514713).
Checksums-Sha1:
bddbe90a7d4f43f5d608c5efd343ba1a5d99b4ce 1016 typo3-src_4.2.5-1+lenny1.dsc
93c3cf6c5db77b93fa2e090ae272d29566e49d1b 8144727 typo3-src_4.2.5.orig.tar.gz
57519be969841d5cf4a40745e65e912b3564add4 109976
typo3-src_4.2.5-1+lenny1.diff.gz
acc6daad479c102628f6b1f58047a29891acde23 133756 typo3_4.2.5-1+lenny1_all.deb
d93739c7310aa131a4f32fda304ebc229710d669 8181114
typo3-src-4.2_4.2.5-1+lenny1_all.deb
Checksums-Sha256:
e9f9b9dae473d88123041e87daeed55ad938f160acec8d7c08ead26f3cb079ad 1016
typo3-src_4.2.5-1+lenny1.dsc
8de681685ac020b471e9da91440ad97b0bbaba1caa2188719644711def8a3ed3 8144727
typo3-src_4.2.5.orig.tar.gz
cd30f3e9dea8b00a29cd1b1956cb8a53ed4b65b02b148b74e01a070721cccb14 109976
typo3-src_4.2.5-1+lenny1.diff.gz
eddbdbee8d3f5781c0ae40aeb70e1696211fd12c2f7d6a3c7abd221606226e22 133756
typo3_4.2.5-1+lenny1_all.deb
e4bcede90f62162188e955eb125e911ff6959149cd8047ad403a54ab7043400b 8181114
typo3-src-4.2_4.2.5-1+lenny1_all.deb
Files:
ed22ba3b5744983a81264e4fb418ea80 1016 web optional typo3-src_4.2.5-1+lenny1.dsc
75b2e5db6ac586fb6176f329be452159 8144727 web optional
typo3-src_4.2.5.orig.tar.gz
e4eec7cdd26c6ddcf8c6c4dfc9ff9839 109976 web optional
typo3-src_4.2.5-1+lenny1.diff.gz
d8139c971339516196e056b53c038b60 133756 web optional
typo3_4.2.5-1+lenny1_all.deb
cf42b5a2332d3dadfd9f2313215c0796 8181114 web optional
typo3-src-4.2_4.2.5-1+lenny1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkmRmrMACgkQHYflSXNkfP+u5wCeNLcCzSldWmgEZqyMHuVva7y5
u9gAoJkTORxwBat/RjxaEIWcS66eX4S0
=qSzq
-----END PGP SIGNATURE-----
--- End Message ---
