Bug#666074: marked as done (TYPO3 Security Bulletin TYPO3-CORE-SA-2012-001: Several Vulnerabilities in TYPO3 Core)

Wed, 28 Mar 2012 12:06:45 -0700 

Your message dated Wed, 28 Mar 2012 19:03:50 +0000
with message-id <e1scy9u-0000hc...@franck.debian.org>
and subject line Bug#666074: fixed in typo3-src 4.5.14+dfsg1-1
has caused the Debian Bug report #666074,
regarding TYPO3 Security Bulletin TYPO3-CORE-SA-2012-001: Several 
Vulnerabilities in TYPO3 Core
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
666074: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=666074
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: typo3-src
Severity: critical
Tags: security


Component Type: TYPO3 Core

Affected Versions: 4.4.0 up to 4.4.13, 4.5.0 up to 4.5.13, 4.6.0 up to
4.6.6 and development releases of the 4.7 and 6.0 branch.
Vulnerability Types: Cross-Site Scripting, Information Disclosure,
Insecure Unserialize
Overall Severity: Medium
Release Date: March 28, 2012




Vulnerable subcomponent: Extbase Framework



Affected Versions: Versions 4.4.x and 4.5.x are NOT affected by this
vulnerabilty.
Vulnerability Type: Insecure Unserialize
Severity: Medium
Suggested CVSS v2.0: AV:N/AC:H/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C

Problem Description: Due to a missing signature (HMAC) for a request
argument, an attacker could unserialize arbitrary objects within TYPO3.
To our knowledge it is neither possible to inject code through this
vulnerability, nor are there exploitable objects within the TYPO3 Core.
However, there might be exploitable objects within third party extensions.



Vulnerable subcomponent: TYPO3 Backend



Vulnerability Type: Cross-Site Scripting
Severity: Medium
Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:P/I:P/A:N/E:F/RL:OF/RC:C

Problem Description: Failing to properly HTML-encode user input in
several places, the TYPO3 backend is susceptible to Cross-Site
Scripting. A valid backend user is required to exploit these
vulnerabilities.

IMPORTANT NOTE: With these TYPO3 versions the description field of the
filelink content element is HTML encoded by default. If you allowed
editors to enter HTML code in this field, you may want to add the
following line to your TypoScript template, before updating.

tt_content.uploads.20.itemRendering.20.2.htmlSpecialChars = 0

Allowing HTML in this field is discouraged for editors, same as allowing
the plain HTML content element.



Vulnerable subcomponent: TYPO3 Command Line Interface



Vulnerability Type: Information Disclosure
Severity: Low
Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:OF/RC:C

Problem Description: Accessing a CLI Script directly with a browser may
disclose the database name used for the TYPO3 installation.



Vulnerable subcomponent: TYPO3 HTML Sanitizing API



Vulnerability Type: Cross-Site Scripting
Severity: Medium
Suggested CVSS v2.0: AV:N/AC:H/Au:N/C:P/I:P/A:N/E:F/RL:OF/RC:C

Problem Description: By not removing non printable characters, the API
method t3lib_div::RemoveXSS() fails to filter specially crafted HTML
injections, thus is susceptible to Cross-Site Scripting.



-- 
 MfG, Christian Welzel

  GPG-Key:     http://www.camlann.de/de/pgpkey.html
  Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15

--- End Message ---
--- Begin Message --- 
Source: typo3-src
Source-Version: 4.5.14+dfsg1-1

We believe that the bug you reported is fixed in the latest version of
typo3-src, which is due to be installed in the Debian FTP archive:

typo3-database_4.5.14+dfsg1-1_all.deb
  to main/t/typo3-src/typo3-database_4.5.14+dfsg1-1_all.deb
typo3-dummy_4.5.14+dfsg1-1_all.deb
  to main/t/typo3-src/typo3-dummy_4.5.14+dfsg1-1_all.deb
typo3-src-4.5_4.5.14+dfsg1-1_all.deb
  to main/t/typo3-src/typo3-src-4.5_4.5.14+dfsg1-1_all.deb
typo3-src_4.5.14+dfsg1-1.debian.tar.gz
  to main/t/typo3-src/typo3-src_4.5.14+dfsg1-1.debian.tar.gz
typo3-src_4.5.14+dfsg1-1.dsc
  to main/t/typo3-src/typo3-src_4.5.14+dfsg1-1.dsc
typo3-src_4.5.14+dfsg1.orig.tar.gz
  to main/t/typo3-src/typo3-src_4.5.14+dfsg1.orig.tar.gz
typo3_4.5.14+dfsg1-1_all.deb
  to main/t/typo3-src/typo3_4.5.14+dfsg1-1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 666...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christian Welzel <gaw...@camlann.de> (supplier of updated typo3-src package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 28 Mar 2012 15:47:41 +0200
Source: typo3-src
Binary: typo3-src-4.5 typo3-database typo3-dummy typo3
Architecture: source all
Version: 4.5.14+dfsg1-1
Distribution: unstable
Urgency: high
Maintainer: Christian Welzel <gaw...@camlann.de>
Changed-By: Christian Welzel <gaw...@camlann.de>
Description: 
 typo3      - web content management system (meta)
 typo3-database - web content management system (database)
 typo3-dummy - web content management system (basic site structure)
 typo3-src-4.5 - web content management system (core)
Closes: 666074
Changes: 
 typo3-src (4.5.14+dfsg1-1) unstable; urgency=high
 .
   * New upstream release:
     - fixes: "TYPO3 Security Bulletin TYPO3-CORE-SA-2012-001: Several
       Vulnerabilities in TYPO3 Core" (Closes: 666074)
   * Package descriptions rewritten
   * Reworked copyright file
   * Add RSA-Auth to default configuration
   * Fix description of patch 05-add-source-for-mediaplayer-swfs.patch
   * Added source for modernizr and and swfupload as debian-patches
   * Added target "get-orig-source" to rules to fetch upstream blankpackage.zip
     file and repack it to .tar.gz
   * Removed find-sql target from rules
   * Added target prepare-source to rules
   * Adopted watch file for zip download
   * Added note about creation of source package to README.source
   * Changed depend from ttf-dejavu to ttf-bitstream-vera. Adjusted symlink of
     vera.tff accordingly.
   * Refreshed patches for removed "dummy" directory.
   * Bumped standards version to 3.9.3
   * Added description to patches 07 and 08.
Checksums-Sha1: 
 33bddd5620a9bfd01a47d66dc42ee0abf83dd95d 1866 typo3-src_4.5.14+dfsg1-1.dsc
 51f0337c0296e7e4e2bbdd768a185f7ce0940dfb 20439417 
typo3-src_4.5.14+dfsg1.orig.tar.gz
 46b5042b0b1b26b2e9673c75e622bd3aaeea38f2 182937 
typo3-src_4.5.14+dfsg1-1.debian.tar.gz
 efddaa3ab878a5a1fc9bec7c7c32830d69ac5cbe 20264520 
typo3-src-4.5_4.5.14+dfsg1-1_all.deb
 e560ffa012ac7b3fa02bf8d202c2a84ef596929e 277980 
typo3-database_4.5.14+dfsg1-1_all.deb
 63baa63e06e3b312abe867c9da82aac9e23fdadd 285992 
typo3-dummy_4.5.14+dfsg1-1_all.deb
 e2abe9e1e266336ab92bdcfd012c9a9503c7d796 1242 typo3_4.5.14+dfsg1-1_all.deb
Checksums-Sha256: 
 67a081f0bfa9d49f8b88ee38f42b6d819df54f43f4d820ef20675c7bdf41dc2b 1866 
typo3-src_4.5.14+dfsg1-1.dsc
 4434651ea64025947814154b796f8fa298aa2e1c92bdad248fe3df60c1694365 20439417 
typo3-src_4.5.14+dfsg1.orig.tar.gz
 b36010b07b9e45d6dce09a8b3b06bd98f673ce8050cb9ee845994e4bc0bd0a4a 182937 
typo3-src_4.5.14+dfsg1-1.debian.tar.gz
 d4ae72c0095c5a01ff2f5dab059810ebdbd9ce7b24279b21d95b23e8a90d8110 20264520 
typo3-src-4.5_4.5.14+dfsg1-1_all.deb
 9ae21328d8d84c1551e5b09f6d2807d6c6acaa76a6f2af8c9396efb8e00cb57c 277980 
typo3-database_4.5.14+dfsg1-1_all.deb
 7d308dabf2d3644077ad1087106f974a194d21e2bf08c48413fc921183fe968e 285992 
typo3-dummy_4.5.14+dfsg1-1_all.deb
 4e8dac8feedf10a8354c04eb65cdb38dac913d995837e1dfc39a531d98ee8939 1242 
typo3_4.5.14+dfsg1-1_all.deb
Files: 
 2ca3a69a9d5f83464ee8fe13a3b94535 1866 web optional typo3-src_4.5.14+dfsg1-1.dsc
 bbb69eed9e7adbfb3b4ec7931d5bd239 20439417 web optional 
typo3-src_4.5.14+dfsg1.orig.tar.gz
 5de3cab78003801b2982ddd90f42f2e7 182937 web optional 
typo3-src_4.5.14+dfsg1-1.debian.tar.gz
 064b59b73babf73ba7177c26889bc525 20264520 web optional 
typo3-src-4.5_4.5.14+dfsg1-1_all.deb
 1e35cc5dc78f7641337577bc5355ad68 277980 web optional 
typo3-database_4.5.14+dfsg1-1_all.deb
 fd6741ad7ec0369e8a5588ac324d025a 285992 web optional 
typo3-dummy_4.5.14+dfsg1-1_all.deb
 48db33a6288e7a1323ad5e70db4665cc 1242 web optional typo3_4.5.14+dfsg1-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIVAwUBT3NdxQkauFYGmqocAQi4BQ//fpuGcRXM/oOZsd1MBeefI+wvl96cqFWc
ukx/jyNMvEMocOkV5cSd/YjJmxjtfXCbSTw7WVrXsP+gsDX6adWuetwPq1xYI9BF
zsgNC3UkqA3M8xoq3Mu0lxtdvJXVq1pM3w8GadqfsmFg7TIvPGFWTSbbplTcdwD6
qQZtgJHFII3kEGF6iAI/Y7PF7p5QC6PUJzWtaShyobtXD0UKoKFdOb6ss0XN/Nl/
ZWXOy/R+4IuGvdtSomsSszYAGtCBWuGSz40AD8iFWssy4Xy0O5u0Z2d4L/aYY0OU
yMinpaEBnzhAP31sLrtEebPrN7igl3R1KxF+GxzYwaNarcF35xe1eIt48U5y0Dp0
9m6DyPnbwlrnM0uOsiAMvxPe9VH/y4ZoUPFKbFlsYmZyHAbDMJU99k0nDkq9+S9m
zewnvMJDwzP/fNYpF6vQ88De+wDQphQLFhQdAJclfS6y1BMKnf66D3kwwLQVVgVQ
vVnnDYbxPUdRINLpynZmfQvJhz1OQGJTaDhob4gFVut/lTf3HvftdImA5lNA6cgK
ToHmrshsfAdKtEU1Idu8qme7mHq4+uWwTt0viSDpFERg6Ap6/vIphm0x6lqEOa7A
/egB+PCiSaEAESPrsvMTAh3UhsHPMX3yiAqdURCmsiLsq9ddngdZavJDX/MEoudV
kdGdFcuIJ94=
=d6t/
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to