Your message dated Sun, 22 Apr 2012 09:20:10 +0000
with message-id <e1slsxm-0004o4...@franck.debian.org>
and subject line Bug#669158: fixed in typo3-src 4.5.15+dfsg1-1
has caused the Debian Bug report #669158,
regarding TYPO3-CORE-SA-2012-002: Cross-Site Scripting Vulnerability in TYPO3
Core
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
669158: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=669158
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: typo3-src
Severity: critical
Tags: security
Component Type: TYPO3 Core
Affected Versions: 4.4.0 up to 4.4.14, 4.5.0 up to 4.5.14, 4.6.0 up to
4.6.7 and development releases of the 4.7 branch.
Vulnerable subcomponent: Exception Handler
Vulnerability Type: Cross-Site Scripting
Severity: Medium
Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:P/I:P/A:N/E:F/RL:OF/RC:C
Problem Description: Failing to properly encode the output, the default
TYPO3 Exception Handler is susceptible to Cross-Site Scripting.
We are not aware of a possibilty to exploit this vulnerability without
third party extensions being installed that put user input in exception
messages.
However it has come to our attention that extensions using the extbase
MVC framework can be used to exploit this vulnerability if these
extensions accept objects in controller actions.
In general and especially when in doubt if the above conditions are met,
we highly recommend users of affected versions to update as soon as
possible.
Imortant Note: In case you have configured your own exception handler
for TYPO3 you need to make sure that the exception messages are properly
encoded within this exception handler before they are presented.
--
MfG, Christian Welzel
GPG-Key: http://www.camlann.de/de/pgpkey.html
Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15
--- End Message ---
--- Begin Message ---
Source: typo3-src
Source-Version: 4.5.15+dfsg1-1
We believe that the bug you reported is fixed in the latest version of
typo3-src, which is due to be installed in the Debian FTP archive:
typo3-database_4.5.15+dfsg1-1_all.deb
to main/t/typo3-src/typo3-database_4.5.15+dfsg1-1_all.deb
typo3-dummy_4.5.15+dfsg1-1_all.deb
to main/t/typo3-src/typo3-dummy_4.5.15+dfsg1-1_all.deb
typo3-src-4.5_4.5.15+dfsg1-1_all.deb
to main/t/typo3-src/typo3-src-4.5_4.5.15+dfsg1-1_all.deb
typo3-src_4.5.15+dfsg1-1.debian.tar.gz
to main/t/typo3-src/typo3-src_4.5.15+dfsg1-1.debian.tar.gz
typo3-src_4.5.15+dfsg1-1.dsc
to main/t/typo3-src/typo3-src_4.5.15+dfsg1-1.dsc
typo3-src_4.5.15+dfsg1.orig.tar.gz
to main/t/typo3-src/typo3-src_4.5.15+dfsg1.orig.tar.gz
typo3_4.5.15+dfsg1-1_all.deb
to main/t/typo3-src/typo3_4.5.15+dfsg1-1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 669...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christian Welzel <gaw...@camlann.de> (supplier of updated typo3-src package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 21 Apr 2012 12:32:23 +0200
Source: typo3-src
Binary: typo3-src-4.5 typo3-database typo3-dummy typo3
Architecture: source all
Version: 4.5.15+dfsg1-1
Distribution: unstable
Urgency: medium
Maintainer: Christian Welzel <gaw...@camlann.de>
Changed-By: Christian Welzel <gaw...@camlann.de>
Description:
typo3 - web content management system (meta)
typo3-database - web content management system (database)
typo3-dummy - web content management system (basic site structure)
typo3-src-4.5 - web content management system (core)
Closes: 669158
Changes:
typo3-src (4.5.15+dfsg1-1) unstable; urgency=medium
.
* New upstream release:
- fixes: "TYPO3 Security Bulletin TYPO3-CORE-SA-2012-002: Cross-Site
Scripting Vulnerability in TYPO3 Core" (Closes: 669158)
* Database update for field uc in be_users.
* Added bugfix patch for TYPO3 bug #36238.
* Added patch for errors with PHP 5.4
* Move Homepage field to source package.
* Added Vcs-Git, changed Vcs-Browser to point to github
* changed Homepage field to typo3.org
* Cleanup of watch file.
* Added comments to lintian overrides.
* Raised compat level to 7.
* Deleted typo3-src-4.5.examples because its empty.
* Removed numbering from patches, changed order to alphabetical.
* Changed index.html files to print warning about directory listing only,
not redirect anymore.
* Disable directory listing globally in apache config.
Checksums-Sha1:
945623bb2009df1679af08ca96dd8e9cfa738e43 2007 typo3-src_4.5.15+dfsg1-1.dsc
b8b4975316ae43097050842b74c19d003216b8c3 20435234
typo3-src_4.5.15+dfsg1.orig.tar.gz
f6117311e3caf9d7ec5963dca8632c5bed051106 184347
typo3-src_4.5.15+dfsg1-1.debian.tar.gz
4d77468369bd6cab0761b556f14d1b42408961c1 20253126
typo3-src-4.5_4.5.15+dfsg1-1_all.deb
1d28455a6eb48df0554a1e237439089a34b6306b 277884
typo3-database_4.5.15+dfsg1-1_all.deb
d1ae8d0756a279980c31f09f02631e06079d7396 286880
typo3-dummy_4.5.15+dfsg1-1_all.deb
93a82cbe8c52e6882a9abc249388ef6439104dec 1242 typo3_4.5.15+dfsg1-1_all.deb
Checksums-Sha256:
b4b214fdadf45929dea9ca2b965077e06b3bb0588b76bb9a6a37ba20b7d29f5b 2007
typo3-src_4.5.15+dfsg1-1.dsc
05c1c11e642b6e3657f0105062010eb4d89864ddf191ddb9c1514b897f40f626 20435234
typo3-src_4.5.15+dfsg1.orig.tar.gz
339426055241112a627c454c595bbacd04857d1ddf8c4ab97b7a4fd8096cfb26 184347
typo3-src_4.5.15+dfsg1-1.debian.tar.gz
c07366cc072f09a09f535e90e775b083aab1a1edc40522e73f9164457cd8d7cb 20253126
typo3-src-4.5_4.5.15+dfsg1-1_all.deb
8f9098ca90941f4a922568659783d5ed8db463c3b51fb3abda58652dd3540a47 277884
typo3-database_4.5.15+dfsg1-1_all.deb
ad2018e276e002f3beea8b96847fbe2a1507310c517c7305e5a321bf7b117fc5 286880
typo3-dummy_4.5.15+dfsg1-1_all.deb
f8822f6c835501d9dc53b7481049c58a4fb1312ffd4dca5985fe03036f5eadbd 1242
typo3_4.5.15+dfsg1-1_all.deb
Files:
b423e2545e38cd5e1d4d55c20034c5f5 2007 web optional typo3-src_4.5.15+dfsg1-1.dsc
d34706983bd3c49de83546b754939287 20435234 web optional
typo3-src_4.5.15+dfsg1.orig.tar.gz
6bbe3494f32063f2f7fe8d3614ac74c5 184347 web optional
typo3-src_4.5.15+dfsg1-1.debian.tar.gz
3d8401b240b7b2dd8304647c42b00610 20253126 web optional
typo3-src-4.5_4.5.15+dfsg1-1_all.deb
7029781614821ad5b3d448d3025b3766 277884 web optional
typo3-database_4.5.15+dfsg1-1_all.deb
bad3c54b7bc4311a91ec8941d8e31a8e 286880 web optional
typo3-dummy_4.5.15+dfsg1-1_all.deb
495efa9a24b35a2e32fe1a2fc4e51600 1242 web optional typo3_4.5.15+dfsg1-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQIVAwUBT5PJsgkauFYGmqocAQhy2BAAmq3IwMyx+LwGPRbGjWnuOZkk0uErI76X
B1z5xVdM9bBXGC0j8clwv4tWqP2iuRdjsNNgq4d26J/C1alB9ICE/bzofpB0mtL8
ZCmsrBPC3ISslQFxjnHgAjL4CySPuNUMp0NiPcCt9WIjDSblwTe3Svss0CrfKp//
5ckvOEhSYQCsHxm2iJqX0EKI05fPwf1uOsTbYt+zUbhIgUkovwxKMohY8Q3rpr0Z
gdYpbOQhH6zHVjDge5s7tBxoeb/Jog6o8jZxx6i1Cjh9nby7A9tWzzQvQNUN9Zd3
jVHfbuOzgUUXudfoVLGJv+PH1qEssh3dKt0J+LwawYrQuzW1Scn6wnkj7FEnCx6I
yi77CFOYve7zLSrnN7BvhI+BmUCDbAgwuGIrucBH3ikEpouGvMPIxbelzED4enfu
p2t4wpBF50p1tmokd0mYvlukCV1b3trbxBn06eXJ/qZ+aYYVyfzRZSkJULQSzvZ9
sCCzEQa01AapT3wjI8on5EGXdNwXiabGE5wL+o8Zs16m2RIjpnc34M7hIp+25zN7
7ksJCDmI0wJPs70AAZttj9eBLo3fprxl0PMK6V8mWo5kym7uEUef3fgGSpStkWTk
czH7o9i4F6YyW0HuGmyQUd7mq++D47xom+sjuBL+waRn8+o2W+boBQLWFpVuD+t0
iZAwh1XmUCY=
=l8kp
-----END PGP SIGNATURE-----
--- End Message ---
