Your message dated Fri, 31 Aug 2012 19:17:06 +0000 with message-id <e1t7wii-0005ol...@franck.debian.org> and subject line Bug#685011: fixed in typo3-src 4.3.9+dfsg1-1+squeeze5 has caused the Debian Bug report #685011, regarding TYPO3-CORE-SA-2012-004: Several Vulnerabilities in TYPO3 Core to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 685011: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685011 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: typo3-src Severity: critical Tags: security It has been discovered that TYPO3 Core is vulnerable to Cross-Site Scripting, Information Disclosure, Insecure Unserialize leading to Arbitrary Code Execution Component Type: TYPO3 Core Affected Versions: 4.5.0 up to 4.5.18, 4.6.0 up to 4.6.11, 4.7.0 up to 4.7.3 and development releases of the 6.0 branch. Vulnerability Types: Cross-Site Scripting, Information Disclosure, Insecure Unserialize Overall Severity: Medium Release Date: August 15, 2012 Vulnerable subcomponent: TYPO3 Backend Help System Vulnerability Type: Insecure Unserialize leading to a possible Arbitrary Code Execution Severity: Medium Suggested CVSS v2.0: AV:N/AC:H/Au:S/C:P/I:C/A:N/E:P/RL:O/RC:C Problem Description: Due to a missing signature (HMAC) for a parameter in the view_help.php file, an attacker could unserialize arbitrary objects within TYPO3. We are aware of a working exploit, which can lead to arbitrary code execution. A valid backend user login or multiple successful cross site request forgery attacks are required to exploit this vulnerability. Vulnerable subcomponent: TYPO3 Backend Vulnerability Type: Cross-Site Scripting Severity: Medium Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:P/I:P/A:N/E:F/RL:O/RC:C Problem Description: Failing to properly HTML-encode user input in several places, the TYPO3 backend is susceptible to Cross-Site Scripting. A valid backend user is required to exploit these vulnerabilities. Vulnerability Type: Information Disclosure Severity: Low Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:P/I:N/A:N/E:F/RL:O/RC:C Problem Description: Accessing the configuration module discloses the Encryption Key. A valid backend user with access to the configuration module is required to exploit this vulnerability. Vulnerable subcomponent: TYPO3 HTML Sanitizing API Vulnerability Type: Cross-Site Scripting Severity: Medium Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:P/I:P/A:N/E:U/RL:O/RC:C Problem Description: By not removing several HTML5 JavaScript events, the API method t3lib_div::RemoveXSS() fails to filter specially crafted HTML injections, thus is susceptible to Cross-Site Scripting. Failing to properly encode for JavaScript the API method t3lib_div::quoteJSvalue(), it is susceptible to Cross-Site Scripting. Vulnerable subcomponent: TYPO3 Install Tool Vulnerability Type: Cross-Site Scripting Severity: Low Suggested CVSS v2.0: AV:N/AC:H/Au:S/C:P/I:P/A:N/E:F/RL:O/RC:C Problem Description: Failing to properly sanitize user input, the Install Tool is susceptible to Cross-Site Scripting. -- MfG, Christian Welzel GPG-Key: http://www.camlann.de/de/pgpkey.html Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15
--- End Message ---
--- Begin Message ---Source: typo3-src Source-Version: 4.3.9+dfsg1-1+squeeze5 We believe that the bug you reported is fixed in the latest version of typo3-src, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 685...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Christian Welzel <gaw...@camlann.de> (supplier of updated typo3-src package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Sat, 18 Aug 2012 14:30:00 +0200 Source: typo3-src Binary: typo3-src-4.3 typo3-database typo3 Architecture: source all Version: 4.3.9+dfsg1-1+squeeze5 Distribution: squeeze-security Urgency: medium Maintainer: Christian Welzel <gaw...@camlann.de> Changed-By: Christian Welzel <gaw...@camlann.de> Description: typo3 - The enterprise level open source WebCMS (Meta) typo3-database - TYPO3 - The enterprise level open source WebCMS (Database) typo3-src-4.3 - TYPO3 - The enterprise level open source WebCMS (Core) Closes: 685011 Changes: typo3-src (4.3.9+dfsg1-1+squeeze5) squeeze-security; urgency=medium . * Security patch backported from new upstream release 4.5.19: - fixes: "TYPO3 Security Bulletin TYPO3-CORE-SA-2012-004: Several Vulnerabilities in TYPO3 Core" (Closes: 685011) Checksums-Sha1: d67ecd614a6b9c842e7c157197fd538dc0a18d89 1400 typo3-src_4.3.9+dfsg1-1+squeeze5.dsc 360aaa8c90f281026bad416a67a13c67261d3349 140117 typo3-src_4.3.9+dfsg1-1+squeeze5.debian.tar.gz 5578b65178229d9aec104bdc54e7523583ae318a 11290750 typo3-src-4.3_4.3.9+dfsg1-1+squeeze5_all.deb 9fad55f9a3ac535e7ce2b654c01b3e50a9e5a520 201560 typo3-database_4.3.9+dfsg1-1+squeeze5_all.deb 9df49396b73b3ff0a9daa1d949d725b8a1414bef 1258 typo3_4.3.9+dfsg1-1+squeeze5_all.deb Checksums-Sha256: 70eeb440829f58a0025fe6a0af7eda7a4efcb732c1e51d3c1942da72af77328e 1400 typo3-src_4.3.9+dfsg1-1+squeeze5.dsc bea00c0bee780016eaa5203221c2b5b44618f222f7d709a0c3cabfe8a3072cd2 140117 typo3-src_4.3.9+dfsg1-1+squeeze5.debian.tar.gz 311933ff017cf839c8d7adbf6da4ad1cfe33bc6ac50691f9d2f2e16bcc448e07 11290750 typo3-src-4.3_4.3.9+dfsg1-1+squeeze5_all.deb d93adcb356bfb2a84d3869e7d0a60c335b664b9733af51fd128dd9e033bb87ac 201560 typo3-database_4.3.9+dfsg1-1+squeeze5_all.deb 19aaddde4d9a2cbb76852b516939b9d19a9ae6a8c25b2a1a9823c5e88bd1c393 1258 typo3_4.3.9+dfsg1-1+squeeze5_all.deb Files: b8b2e7b395228cdaa1a042e43ae56fc1 1400 web optional typo3-src_4.3.9+dfsg1-1+squeeze5.dsc 88b174de310c990c1d8b1af2bbff3e27 140117 web optional typo3-src_4.3.9+dfsg1-1+squeeze5.debian.tar.gz 57683bbaaaaab832337dde43b914db65 11290750 web optional typo3-src-4.3_4.3.9+dfsg1-1+squeeze5_all.deb e62087b8e48e12c00ab152fe5fbf4411 201560 web optional typo3-database_4.3.9+dfsg1-1+squeeze5_all.deb a332dcb132d9c7fbfd2674fc0fe49504 1258 web optional typo3_4.3.9+dfsg1-1+squeeze5_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQP8IIAAoJEL97/wQC1SS+IrgIAIiTfjzAUybBjCdg6GZv9SM2 QI0h+OnEo4s/681cW3+GmrELdaTZB1dZ2QjVYWJWNSJq0osFo/IMfy4gQnOuchbk kpryhQls4Xwj2AXcdanLyqlr1dYHTdNOvnNZODdXFBA5Q5qktiEPhUs3xBcwnr3n U4wwlMEcqK2Td/+tbPi5a6zviFjJmkrkQJyFoBqXJT9WChM/LK8OgaBGX5rSd0Pr q4rUZyS8SNmAxk0GmEXPBkisoSIuTLWjXNntpQRkFmVjK3+ZhGgn9Ia35AD79+Hk wHGJ3/SoS9gBMZFwbJroi+1juKmlPnXu3eaIOZI6wj5BFYYXMF6Qstd414gUCnE= =STjE -----END PGP SIGNATURE-----
--- End Message ---
