Bug#641682: marked as done (TYPO3 Security Bulletin TYPO3-CORE-SA-2011-002: Potential SQL injection vulnerability in TYPO3 Core)

Debian Bug Tracking System Fri, 16 Sep 2011 10:07:59 -0700

Your message dated Fri, 16 Sep 2011 17:04:16 +0000
with message-id <e1r4bpo-0000gb...@franck.debian.org>
and subject line Bug#641682: fixed in typo3-src 4.5.6+dfsg1-1
has caused the Debian Bug report #641682,
regarding TYPO3 Security Bulletin TYPO3-CORE-SA-2011-002: Potential SQL 
injection vulnerability in TYPO3 Core
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
641682: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=641682
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: typo3-src
Severity: critical
Tags: security
Version: 4.5.4+dfsg1-1


Component Type: TYPO3 Core
Affected Versions: 4.5.0 - 4.5.5
Release Date: September 14, 2011



Vulnerable subcomponent: Database API


Vulnerability Type: SQL Injection
Severity: Medium
Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:P/I:P/A:N/E:U/RL:OF/RC:C

Problem Description: Failing to properly replace parameter values, the
usage of prepared statements could lead to a SQL Injection
vulnerability. This issue can only be exploited if two or more
parameters are bound to the query and at least two come from user input.

We carefully analysed the usage of prepared queries in the TYPO3 Core
and found that it is not exploitable. We are also not aware of any
extension in the TER that uses this feature in a exploitable way.
Nevertheless all users of TYPO3 4.5.x are adviced to update their
installations as soon as possible.


-- 
 MfG, Christian Welzel

  GPG-Key:     http://www.camlann.de/de/pgpkey.html
  Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15

--- End Message ---

--- Begin Message ---

Source: typo3-src
Source-Version: 4.5.6+dfsg1-1

We believe that the bug you reported is fixed in the latest version of
typo3-src, which is due to be installed in the Debian FTP archive:

typo3-database_4.5.6+dfsg1-1_all.deb
  to main/t/typo3-src/typo3-database_4.5.6+dfsg1-1_all.deb
typo3-dummy_4.5.6+dfsg1-1_all.deb
  to main/t/typo3-src/typo3-dummy_4.5.6+dfsg1-1_all.deb
typo3-src-4.5_4.5.6+dfsg1-1_all.deb
  to main/t/typo3-src/typo3-src-4.5_4.5.6+dfsg1-1_all.deb
typo3-src_4.5.6+dfsg1-1.debian.tar.gz
  to main/t/typo3-src/typo3-src_4.5.6+dfsg1-1.debian.tar.gz
typo3-src_4.5.6+dfsg1-1.dsc
  to main/t/typo3-src/typo3-src_4.5.6+dfsg1-1.dsc
typo3-src_4.5.6+dfsg1.orig-dummy.tar.gz
  to main/t/typo3-src/typo3-src_4.5.6+dfsg1.orig-dummy.tar.gz
typo3-src_4.5.6+dfsg1.orig.tar.gz
  to main/t/typo3-src/typo3-src_4.5.6+dfsg1.orig.tar.gz
typo3_4.5.6+dfsg1-1_all.deb
  to main/t/typo3-src/typo3_4.5.6+dfsg1-1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 641...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christian Welzel <gaw...@camlann.de> (supplier of updated typo3-src package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 15 Sep 2011 10:00:00 +0100
Source: typo3-src
Binary: typo3-src-4.5 typo3-database typo3-dummy typo3
Architecture: source all
Version: 4.5.6+dfsg1-1
Distribution: unstable
Urgency: high
Maintainer: Christian Welzel <gaw...@camlann.de>
Changed-By: Christian Welzel <gaw...@camlann.de>
Description: 
 typo3      - The enterprise level open source WebCMS (Meta)
 typo3-database - TYPO3 - The enterprise level open source WebCMS (Database)
 typo3-dummy - web content management system
 typo3-src-4.5 - TYPO3 - The enterprise level open source WebCMS (Core)
Closes: 641682 641683
Changes: 
 typo3-src (4.5.6+dfsg1-1) unstable; urgency=high
 .
   * New upstream release:
     - fixes: "TYPO3 Security Bulletin TYPO3-CORE-SA-2011-002: Potential
       SQL injection vulnerability in TYPO3 Core" (Closes: 641682)
     - fixes: "TYPO3 Security Bulletin TYPO3-CORE-SA-2011-003: Improper error
       handling could lead to cache flooding in TYPO3 Core" (Closes: 641683)
Checksums-Sha1: 
 4fe87bf7f59d8fdc2587bb66a089c2eb1c6c5edb 1362 typo3-src_4.5.6+dfsg1-1.dsc
 efef3befc7972e5c7d6cc0b7078db1febdfcd385 7672 
typo3-src_4.5.6+dfsg1.orig-dummy.tar.gz
 5a8c284af67dc8bb7022bf5b23d9e10b0e3aaa1e 20508797 
typo3-src_4.5.6+dfsg1.orig.tar.gz
 729c359735d4481b8cead1feef6cd7d0c3eddb95 147064 
typo3-src_4.5.6+dfsg1-1.debian.tar.gz
 5e514843baf5e8b41410d4a07de29d45fcb0cb9a 20198640 
typo3-src-4.5_4.5.6+dfsg1-1_all.deb
 877cf6aeebffbb580c6a9a4e9e562a2eb366d480 265418 
typo3-database_4.5.6+dfsg1-1_all.deb
 672366d6562be2f2bc95542011a2c0ab861f38fe 270520 
typo3-dummy_4.5.6+dfsg1-1_all.deb
 0c6c5d99c76bb5016f9d7a28aec3402de7b9b79d 1254 typo3_4.5.6+dfsg1-1_all.deb
Checksums-Sha256: 
 eea94baebdc1f265657b2b1c300436a3bb10bc8ac62b772bbaa6dd1b4f0226ff 1362 
typo3-src_4.5.6+dfsg1-1.dsc
 ef7345938bd9634599af57b55ab42dca4278db5e53ff0e534857018b792d81db 7672 
typo3-src_4.5.6+dfsg1.orig-dummy.tar.gz
 480b5d660aac16777e84d1d9ac18c2f346e2f4e08076e408e6a3114183c70245 20508797 
typo3-src_4.5.6+dfsg1.orig.tar.gz
 c875d7ea706b5311033a298dddd534259292ec2d56458ee4907a9007f3e260f6 147064 
typo3-src_4.5.6+dfsg1-1.debian.tar.gz
 fd38951f8209c9734304cb03b7c50269c30d8ad459e78141be10ebb48444eba0 20198640 
typo3-src-4.5_4.5.6+dfsg1-1_all.deb
 3ef05af2598eafd18d32d21bb50cbebb99ec6ec03864aacb3f001a5b1719803c 265418 
typo3-database_4.5.6+dfsg1-1_all.deb
 4b72add09ce082f373350681013d1e1df5246503c40c0572395ff1d48b8e1846 270520 
typo3-dummy_4.5.6+dfsg1-1_all.deb
 b64d476bc61682716c3ed95f4fc44e95f20a59b6e56cb48047a0d987b9d4ddfa 1254 
typo3_4.5.6+dfsg1-1_all.deb
Files: 
 01f6cdb2228ec7910d5b0d5f788c89c3 1362 web optional typo3-src_4.5.6+dfsg1-1.dsc
 bbd31f348a88dd4af7e48221971d4f47 7672 web optional 
typo3-src_4.5.6+dfsg1.orig-dummy.tar.gz
 747929c87beb171404c1598cd26aa104 20508797 web optional 
typo3-src_4.5.6+dfsg1.orig.tar.gz
 a86e5b7a8685680eb9ecb173ef59a31a 147064 web optional 
typo3-src_4.5.6+dfsg1-1.debian.tar.gz
 e6fb08003816bb9eebbbbfd0b36ea456 20198640 web optional 
typo3-src-4.5_4.5.6+dfsg1-1_all.deb
 4a594766045482e08654314890623e5b 265418 web optional 
typo3-database_4.5.6+dfsg1-1_all.deb
 e7c45d52a7e1af03245ea437d911d6a9 270520 web optional 
typo3-dummy_4.5.6+dfsg1-1_all.deb
 5360e96ca1a52137eb69900ad4996da5 1254 web optional typo3_4.5.6+dfsg1-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iD8DBQFOc3u7UHLQNqxYNSARAvWiAJ98dTza51IO3FqG22LC6qtRIOjA4gCeLVcv
NZaYzzZaWPReBbGFuAJaIQ0=
=wRmZ
-----END PGP SIGNATURE-----

--- End Message ---

Bug#641682: marked as done (TYPO3 Security Bulletin TYPO3-CORE-SA-2011-002: Potential SQL injection vulnerability in TYPO3 Core)

Reply via email to