Your message dated Sat, 18 Aug 2012 05:47:44 +0000 with message-id <e1t2bsu-00035z...@franck.debian.org> and subject line Bug#685011: fixed in typo3-src 4.5.19+dfsg1-1 has caused the Debian Bug report #685011, regarding TYPO3-CORE-SA-2012-004: Several Vulnerabilities in TYPO3 Core to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 685011: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685011 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: typo3-src Severity: critical Tags: security It has been discovered that TYPO3 Core is vulnerable to Cross-Site Scripting, Information Disclosure, Insecure Unserialize leading to Arbitrary Code Execution Component Type: TYPO3 Core Affected Versions: 4.5.0 up to 4.5.18, 4.6.0 up to 4.6.11, 4.7.0 up to 4.7.3 and development releases of the 6.0 branch. Vulnerability Types: Cross-Site Scripting, Information Disclosure, Insecure Unserialize Overall Severity: Medium Release Date: August 15, 2012 Vulnerable subcomponent: TYPO3 Backend Help System Vulnerability Type: Insecure Unserialize leading to a possible Arbitrary Code Execution Severity: Medium Suggested CVSS v2.0: AV:N/AC:H/Au:S/C:P/I:C/A:N/E:P/RL:O/RC:C Problem Description: Due to a missing signature (HMAC) for a parameter in the view_help.php file, an attacker could unserialize arbitrary objects within TYPO3. We are aware of a working exploit, which can lead to arbitrary code execution. A valid backend user login or multiple successful cross site request forgery attacks are required to exploit this vulnerability. Vulnerable subcomponent: TYPO3 Backend Vulnerability Type: Cross-Site Scripting Severity: Medium Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:P/I:P/A:N/E:F/RL:O/RC:C Problem Description: Failing to properly HTML-encode user input in several places, the TYPO3 backend is susceptible to Cross-Site Scripting. A valid backend user is required to exploit these vulnerabilities. Vulnerability Type: Information Disclosure Severity: Low Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:P/I:N/A:N/E:F/RL:O/RC:C Problem Description: Accessing the configuration module discloses the Encryption Key. A valid backend user with access to the configuration module is required to exploit this vulnerability. Vulnerable subcomponent: TYPO3 HTML Sanitizing API Vulnerability Type: Cross-Site Scripting Severity: Medium Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:P/I:P/A:N/E:U/RL:O/RC:C Problem Description: By not removing several HTML5 JavaScript events, the API method t3lib_div::RemoveXSS() fails to filter specially crafted HTML injections, thus is susceptible to Cross-Site Scripting. Failing to properly encode for JavaScript the API method t3lib_div::quoteJSvalue(), it is susceptible to Cross-Site Scripting. Vulnerable subcomponent: TYPO3 Install Tool Vulnerability Type: Cross-Site Scripting Severity: Low Suggested CVSS v2.0: AV:N/AC:H/Au:S/C:P/I:P/A:N/E:F/RL:O/RC:C Problem Description: Failing to properly sanitize user input, the Install Tool is susceptible to Cross-Site Scripting. -- MfG, Christian Welzel GPG-Key: http://www.camlann.de/de/pgpkey.html Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15
--- End Message ---
--- Begin Message ---Source: typo3-src Source-Version: 4.5.19+dfsg1-1 We believe that the bug you reported is fixed in the latest version of typo3-src, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 685...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Christian Welzel <gaw...@camlann.de> (supplier of updated typo3-src package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 15 Aug 2012 22:40:03 +0200 Source: typo3-src Binary: typo3-src-4.5 typo3-database typo3-dummy typo3 Architecture: source all Version: 4.5.19+dfsg1-1 Distribution: unstable Urgency: high Maintainer: Christian Welzel <gaw...@camlann.de> Changed-By: Christian Welzel <gaw...@camlann.de> Description: typo3 - web content management system (meta) typo3-database - web content management system (database) typo3-dummy - web content management system (basic site structure) typo3-src-4.5 - web content management system (core) Closes: 685011 Changes: typo3-src (4.5.19+dfsg1-1) unstable; urgency=high . * New upstream release: - fixes: "TYPO3 Security Bulletin TYPO3-CORE-SA-2012-004: Several Vulnerabilities in TYPO3 Core" (Closes: 685011) Checksums-Sha1: f35b4dcd23a6c292e2c9ff3111cfb4eae8c0cdb8 2056 typo3-src_4.5.19+dfsg1-1.dsc ed5be0a77370a357261ea1269bf5fd38f16b9c79 20191202 typo3-src_4.5.19+dfsg1.orig.tar.gz f52c72986070a424f22abd66db020dd2ce02f976 384884 typo3-src_4.5.19+dfsg1-1.debian.tar.gz eaa856930278117ecfef9ff2f33a4f9f842e52e1 20067728 typo3-src-4.5_4.5.19+dfsg1-1_all.deb 99510b33aadc03c7d5b7f8bfa91e23c6e9292c1c 281622 typo3-database_4.5.19+dfsg1-1_all.deb e31569cc6eba6a9e4088faa4a7082f354ee19ed4 289618 typo3-dummy_4.5.19+dfsg1-1_all.deb 54e077c4bc9884243b745b1843d617c58d7586c7 1246 typo3_4.5.19+dfsg1-1_all.deb Checksums-Sha256: ecddbcce2517c00335eddda6aad102a881b835decdc1e186164bbb626c5276fd 2056 typo3-src_4.5.19+dfsg1-1.dsc f70e438647d69d4fce4b34d09043e3225311e1b418d312f2ff5ba541494e366e 20191202 typo3-src_4.5.19+dfsg1.orig.tar.gz bb6e3ba4deddeaaaa2c16eb4a6f2677c7b0a3a1b7214c56d70bc15153b15b2e8 384884 typo3-src_4.5.19+dfsg1-1.debian.tar.gz 02cc1edc3e5dfcb395780cc56725c49b9b95efcd4aefe7a6e34db398b5a37a45 20067728 typo3-src-4.5_4.5.19+dfsg1-1_all.deb 6bca87e44205545f8de8689c0d561f0e32af52cbf7e4d913f5e2179d1d790d97 281622 typo3-database_4.5.19+dfsg1-1_all.deb 056acc572391e8ef49d85a3827e438a9f477a0f1ebbb1b443a3f4ece843f1c7d 289618 typo3-dummy_4.5.19+dfsg1-1_all.deb 9970f321ad9120a509d298a44277c39e4aae0e5bb3008289c98527c7ba3396e8 1246 typo3_4.5.19+dfsg1-1_all.deb Files: b8edca76d164927fb0b72f58d3769d0c 2056 web optional typo3-src_4.5.19+dfsg1-1.dsc 14ba987b34e6a3decab0004b42083fb6 20191202 web optional typo3-src_4.5.19+dfsg1.orig.tar.gz e528120ed32720faa0daa1bf74b4e88c 384884 web optional typo3-src_4.5.19+dfsg1-1.debian.tar.gz 414f31e6dfe84a88c596582b9b2b3d99 20067728 web optional typo3-src-4.5_4.5.19+dfsg1-1_all.deb 4d7926df23e63f7f972d1961f2e7087a 281622 web optional typo3-database_4.5.19+dfsg1-1_all.deb b1abcd5c3db7aef9d79b8a46b3b8ef98 289618 web optional typo3-dummy_4.5.19+dfsg1-1_all.deb d68ee9bbcad2b266f4e4584e4c318dcd 1246 web optional typo3_4.5.19+dfsg1-1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIVAwUBUC8nbo1SzelRF+EZAQr9tw/9ESFGYzUfJ31ldov3eyY8xvv6OCwN9UXJ DzBmZBtNsbB3RZWNv6Jc+I7eVTFcqd90nbWP7vjxifIqvenojlCfqVDHnTrtT4V/ i3gfXvrPjc/3As2Dp2bCgTNXOf36MVmQN/ou7hV0WjZZRKMWTXQwJon+f601boqt 3ly2mAoVsAltfoIWJUGpPtr201eenWfKRE5DHKdeNXofMFezk0MWjMdi5nd+2FOJ D/I3WGEAo179uabkXFEY14PWuKzQq5g8mepjxJRlqDdcnKF+dXX3qS7SGleTboHY mu3ld2Y68slkHoyRvIMLevyw9Jd+VWb97qScNhu47Cpvb8RCD0Kne6kw3EZC0Bwj pbt0901K7aS/kM4U70zR2NMir5NMa7r+0v5YM35TXHdF7IOIFt/nNZG9+d754Z6v qFsxW2GBnXndzf3kZLyP6FqZhN5mRa04qwJdkHnBnOpIHvAsMBLYqRrHGvdVhNdy HSxWTNBLc2ZgtXiopB2CTGBnzKrqv0RZX7gkXVV1TUOTmTdwaTaHLnWUIfTqKGhZ iTaMy2SiJsIU49L2CwcRgFvv3xoxDbIfw9WNI6pKq2m3jZzbRxR0V4g12lBN0SK4 Ferx+dPsg6MSaOJrY1WWoTq1w81nDJtL4P7Fsrdgcyh93AvOd5jZHBv+Zqwdq0Xd 0eMynwE9Jf8= =+jkl -----END PGP SIGNATURE-----
--- End Message ---
