Your message dated Sat, 31 Mar 2012 15:02:10 +0000
with message-id <e1sdzog-0000cq...@franck.debian.org>
and subject line Bug#666074: fixed in typo3-src 4.3.9+dfsg1-1+squeeze3
has caused the Debian Bug report #666074,
regarding TYPO3 Security Bulletin TYPO3-CORE-SA-2012-001: Several
Vulnerabilities in TYPO3 Core
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
666074: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=666074
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: typo3-src
Severity: critical
Tags: security
Component Type: TYPO3 Core
Affected Versions: 4.4.0 up to 4.4.13, 4.5.0 up to 4.5.13, 4.6.0 up to
4.6.6 and development releases of the 4.7 and 6.0 branch.
Vulnerability Types: Cross-Site Scripting, Information Disclosure,
Insecure Unserialize
Overall Severity: Medium
Release Date: March 28, 2012
Vulnerable subcomponent: Extbase Framework
Affected Versions: Versions 4.4.x and 4.5.x are NOT affected by this
vulnerabilty.
Vulnerability Type: Insecure Unserialize
Severity: Medium
Suggested CVSS v2.0: AV:N/AC:H/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C
Problem Description: Due to a missing signature (HMAC) for a request
argument, an attacker could unserialize arbitrary objects within TYPO3.
To our knowledge it is neither possible to inject code through this
vulnerability, nor are there exploitable objects within the TYPO3 Core.
However, there might be exploitable objects within third party extensions.
Vulnerable subcomponent: TYPO3 Backend
Vulnerability Type: Cross-Site Scripting
Severity: Medium
Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:P/I:P/A:N/E:F/RL:OF/RC:C
Problem Description: Failing to properly HTML-encode user input in
several places, the TYPO3 backend is susceptible to Cross-Site
Scripting. A valid backend user is required to exploit these
vulnerabilities.
IMPORTANT NOTE: With these TYPO3 versions the description field of the
filelink content element is HTML encoded by default. If you allowed
editors to enter HTML code in this field, you may want to add the
following line to your TypoScript template, before updating.
tt_content.uploads.20.itemRendering.20.2.htmlSpecialChars = 0
Allowing HTML in this field is discouraged for editors, same as allowing
the plain HTML content element.
Vulnerable subcomponent: TYPO3 Command Line Interface
Vulnerability Type: Information Disclosure
Severity: Low
Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:OF/RC:C
Problem Description: Accessing a CLI Script directly with a browser may
disclose the database name used for the TYPO3 installation.
Vulnerable subcomponent: TYPO3 HTML Sanitizing API
Vulnerability Type: Cross-Site Scripting
Severity: Medium
Suggested CVSS v2.0: AV:N/AC:H/Au:N/C:P/I:P/A:N/E:F/RL:OF/RC:C
Problem Description: By not removing non printable characters, the API
method t3lib_div::RemoveXSS() fails to filter specially crafted HTML
injections, thus is susceptible to Cross-Site Scripting.
--
MfG, Christian Welzel
GPG-Key: http://www.camlann.de/de/pgpkey.html
Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15
--- End Message ---
--- Begin Message ---
Source: typo3-src
Source-Version: 4.3.9+dfsg1-1+squeeze3
We believe that the bug you reported is fixed in the latest version of
typo3-src, which is due to be installed in the Debian FTP archive:
typo3-database_4.3.9+dfsg1-1+squeeze3_all.deb
to main/t/typo3-src/typo3-database_4.3.9+dfsg1-1+squeeze3_all.deb
typo3-src-4.3_4.3.9+dfsg1-1+squeeze3_all.deb
to main/t/typo3-src/typo3-src-4.3_4.3.9+dfsg1-1+squeeze3_all.deb
typo3-src_4.3.9+dfsg1-1+squeeze3.debian.tar.gz
to main/t/typo3-src/typo3-src_4.3.9+dfsg1-1+squeeze3.debian.tar.gz
typo3-src_4.3.9+dfsg1-1+squeeze3.dsc
to main/t/typo3-src/typo3-src_4.3.9+dfsg1-1+squeeze3.dsc
typo3_4.3.9+dfsg1-1+squeeze3_all.deb
to main/t/typo3-src/typo3_4.3.9+dfsg1-1+squeeze3_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 666...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christian Welzel <gaw...@camlann.de> (supplier of updated typo3-src package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 28 Mar 2012 20:06:30 +0200
Source: typo3-src
Binary: typo3-src-4.3 typo3-database typo3
Architecture: source all
Version: 4.3.9+dfsg1-1+squeeze3
Distribution: squeeze-security
Urgency: high
Maintainer: Christian Welzel <gaw...@camlann.de>
Changed-By: Christian Welzel <gaw...@camlann.de>
Description:
typo3 - The enterprise level open source WebCMS (Meta)
typo3-database - TYPO3 - The enterprise level open source WebCMS (Database)
typo3-src-4.3 - TYPO3 - The enterprise level open source WebCMS (Core)
Closes: 666074
Changes:
typo3-src (4.3.9+dfsg1-1+squeeze3) squeeze-security; urgency=high
.
* Security patch backported from new upstream release 4.4.14:
- fixes: "TYPO3 Security Bulletin TYPO3-CORE-SA-2012-001: Several
Vulnerabilities in TYPO3 Core" (Closes: 666074)
Checksums-Sha1:
6049f551c06af37c9e56409365d2d6d4aa560ccf 1740
typo3-src_4.3.9+dfsg1-1+squeeze3.dsc
7afb1dd41239382d7ca76949ae222f8ebc36b959 131582
typo3-src_4.3.9+dfsg1-1+squeeze3.debian.tar.gz
ca3a9e6b20d04e644ba524ff3e2f128cb268d833 11282840
typo3-src-4.3_4.3.9+dfsg1-1+squeeze3_all.deb
d39445b64c603910bed8c87b20d4d7b36afb3aa0 202600
typo3-database_4.3.9+dfsg1-1+squeeze3_all.deb
5d7450f4aa8c30824ecb55dc7bee6d1f456d0057 1258
typo3_4.3.9+dfsg1-1+squeeze3_all.deb
Checksums-Sha256:
fa114dae9d55d84a4e99c8bdfb1fb665a9b911b121fbd3f0a6d510782213b91e 1740
typo3-src_4.3.9+dfsg1-1+squeeze3.dsc
7ff6a9e8ec42d3fb931eb6e825beb363f43f7b151449b287452f0795271310c6 131582
typo3-src_4.3.9+dfsg1-1+squeeze3.debian.tar.gz
18fb061971d8ede03f02439f17e726ca59790b8777e7a47b39481479686254e4 11282840
typo3-src-4.3_4.3.9+dfsg1-1+squeeze3_all.deb
eb4014565eafb29521991442d59895677d296f31103eeb1ea609b8a655de3bf2 202600
typo3-database_4.3.9+dfsg1-1+squeeze3_all.deb
547aa53c1641046c4dc122abee4278572041bb7edce173fec05bafcc86666301 1258
typo3_4.3.9+dfsg1-1+squeeze3_all.deb
Files:
07ef7cbfdee8eaee4f719b6d188e0a43 1740 web optional
typo3-src_4.3.9+dfsg1-1+squeeze3.dsc
8947595738f3b8fd334f0929f09c1c37 131582 web optional
typo3-src_4.3.9+dfsg1-1+squeeze3.debian.tar.gz
cb98b494665aa801c206c7e6e6ea24c3 11282840 web optional
typo3-src-4.3_4.3.9+dfsg1-1+squeeze3_all.deb
6b7155c3ca623cb5c202339a45e88fc0 202600 web optional
typo3-database_4.3.9+dfsg1-1+squeeze3_all.deb
54b39c7e1b886fa6878cbc372b652868 1258 web optional
typo3_4.3.9+dfsg1-1+squeeze3_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQIVAwUBT3NdzgkauFYGmqocAQi8AQ//UlnRU7rJj1TB54lsFH0WZWSq/6SMD1yT
Tt6zH0CiXJALMkZaUraudmYm99LBP1SfjLYKLOxA9VQ3zdRuXCGBhygTXVGTpGq6
P+NBragOAiGRSoEgPIyZBd7XzumbSnEnjyH5wK2mT+DHTQN54peWdPVwG61QQFOC
/KoKdWdGFOZ+/jPHgSvt63qbz6aMaGvcFTr3LaZZfPQESB2iF7Dr8uycHUNr+k88
YVtzlBo4hk7HDgsxaxxHZLiwZuGq79ZTitixjceGyZ8mmjSYLhFGpBYwMVABnCX9
wSCfIfE8p5gLsHBv8lHscvPCIpcE4h/o0e4B91KjvdmpJdma4RyOANaqIzp0wiea
d/TSjC2XWfZoK5J/VTLNu4Q00rYXGy1lPxGutf2BCLUGA5CEZpsT6CY/Ie3nbf+h
i6bloZ/hQFeT6CdAK3/8y0D9qvy5FmmkvE/PIM9hQlFg64SkiGV38AbmI7YC31qo
MfTpkHUKhFSf1CYk9/koaNTjJ+e63ekhjuWRRYNaTyMfF2S3YHMDRWyI+ZS3NuHi
o697QyPBkl5ldMZeoN89tG3YmZlIjnRDzFwAdSbZXRTC67VYdXONYbsFzuEda4Nj
93kd1sbFNQMCcTYf4SmOgg/YsFabg5lGLRWkPrM6NpiXNZvoS4QkLHUBT5LyDMnw
opjFjdrZ7M0=
=bysW
-----END PGP SIGNATURE-----
--- End Message ---
