Your message dated Wed, 21 Nov 2012 23:02:13 +0000 with message-id <e1tbjj7-0001ln...@franck.debian.org> and subject line Bug#692775: fixed in typo3-src 4.3.9+dfsg1-1+squeeze6 has caused the Debian Bug report #692775, regarding TYPO3-CORE-SA-2012-005: Several Vulnerabilities in TYPO3 Core to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 692775: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692775 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: typo3-src Severity: critical Tags: security It has been discovered that TYPO3 Core is vulnerable to SQL Injection, Information Disclosure and Cross-Site Scripting Component Type: TYPO3 Core Affected Versions: 4.5.0 up to 4.5.20, 4.6.0 up to 4.6.13, 4.7.0 up to 4.7.5 and development releases of the 6.0 branch. Vulnerability Types: SQL Injection, Cross-Site Scripting, Information Disclosure Overall Severity: Medium Release Date: November 8, 2012 Vulnerable subcomponent: TYPO3 Backend History Module Vulnerability Type: SQL Injection, Cross-Site Scripting Severity: Medium Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:C/I:C/A:N/E:F/RL:O/RC:C Problem Description: Due to missing encoding of user input, the history module is susceptible to SQL Injection and Cross-Site Scripting. A valid backend login is required to exploit this vulnerability. Vulnerability Type: Information Disclosure Severity: Low Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:P/I:N/A:N/E:F/RL:O/RC:C Problem Description: Due to a missing access check, regular editors could see the history view of arbitrary records, only by forging a proper URL for the History Module. A valid backend login is required to exploit this vulnerability. Vulnerable subcomponent: TYPO3 Backend API Vulnerability Type: Cross-Site Scripting Severity: Low Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:N/I:P/A:N/E:F/RL:O/RC:C Problem Description: Failing to properly HTML-encode user input the tree render API (TCA-Tree) is susceptible to Cross-Site Scripting. TYPO3 Versions below 6.0 does not make us of this API, thus is not exploitable, if no third party extension is installed which uses this API. A valid backend login is required to exploit this vulnerability. Vulnerability Type: Cross-Site Scripting Severity: Low Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:N/I:P/A:N/E:P/RL:O/RC:C Problem Description: Failing to properly encode user input, the function menu API is susceptible to Cross-Site Scripting. A valid backend login is required to exploit this vulnerability. -- MfG, Christian Welzel GPG-Key: http://www.camlann.de/de/pgpkey.html Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15
--- End Message ---
--- Begin Message ---Source: typo3-src Source-Version: 4.3.9+dfsg1-1+squeeze6 We believe that the bug you reported is fixed in the latest version of typo3-src, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 692...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Christian Welzel <gaw...@camlann.de> (supplier of updated typo3-src package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Sat, 10 Nov 2012 18:30:00 +0100 Source: typo3-src Binary: typo3-src-4.3 typo3-database typo3 Architecture: source all Version: 4.3.9+dfsg1-1+squeeze6 Distribution: squeeze-security Urgency: medium Maintainer: Christian Welzel <gaw...@camlann.de> Changed-By: Christian Welzel <gaw...@camlann.de> Description: typo3 - The enterprise level open source WebCMS (Meta) typo3-database - TYPO3 - The enterprise level open source WebCMS (Database) typo3-src-4.3 - TYPO3 - The enterprise level open source WebCMS (Core) Closes: 692775 Changes: typo3-src (4.3.9+dfsg1-1+squeeze6) squeeze-security; urgency=medium . * Security patch backported from new upstream release 4.5.21: - fixes: "TYPO3 Security Bulletin TYPO3-CORE-SA-2012-005: Several Vulnerabilities in TYPO3 Core" (Closes: 692775) Checksums-Sha1: eba66b9782909dca92a3f21e648583b9d2d15015 1400 typo3-src_4.3.9+dfsg1-1+squeeze6.dsc a56d2b80adc69ef6c2bb53bf51f40ad87931e362 143217 typo3-src_4.3.9+dfsg1-1+squeeze6.debian.tar.gz 650b1851761ab332bf9be6dbe405715833b11f55 11294708 typo3-src-4.3_4.3.9+dfsg1-1+squeeze6_all.deb 2de912a930bf11a82b5d3ec90a9d2695d907b236 201586 typo3-database_4.3.9+dfsg1-1+squeeze6_all.deb 2815bf3266b0c9a055acf323affa561d2701d3f0 1260 typo3_4.3.9+dfsg1-1+squeeze6_all.deb Checksums-Sha256: 630ae888fe752f2cb55f8afe81b63a2a4815185c3fbb6405e0d6a64337e37ae0 1400 typo3-src_4.3.9+dfsg1-1+squeeze6.dsc 9a22d61f7c8e0b73893175284b1ac96ef923b5ddbde0472c464029b5baf75fd9 143217 typo3-src_4.3.9+dfsg1-1+squeeze6.debian.tar.gz 519b428209090b62bc89c1ab9bab00610c50a3c526e6bcd6ebbcb62f45208f10 11294708 typo3-src-4.3_4.3.9+dfsg1-1+squeeze6_all.deb a341821e03eedab9a945f18d289929d92c9f18d6199cd86b1b7a9b3a70c32f88 201586 typo3-database_4.3.9+dfsg1-1+squeeze6_all.deb 2d41d0e296db5acfc73eb07c3f3223c3f87d878b0af3c928ea96745cf4686884 1260 typo3_4.3.9+dfsg1-1+squeeze6_all.deb Files: e095ca3530bb39bd7228b661bf239299 1400 web optional typo3-src_4.3.9+dfsg1-1+squeeze6.dsc 85b9828a3126d69ff7d9bed3d70f6105 143217 web optional typo3-src_4.3.9+dfsg1-1+squeeze6.debian.tar.gz a868755ffaeccb25dd9acb2f36db3bef 11294708 web optional typo3-src-4.3_4.3.9+dfsg1-1+squeeze6_all.deb 90715e4732803fce0dcc756d530d250c 201586 web optional typo3-database_4.3.9+dfsg1-1+squeeze6_all.deb e6c4ec5169ea03deb5117efb5482c980 1260 web optional typo3_4.3.9+dfsg1-1+squeeze6_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQnrA3AAoJEL97/wQC1SS+d5AH/3JDpCoH64zYgNHxzLc9sdmD nEsUE50p0b10juUWnxHnz3oqBWnFCLc76/0N7LZtr3+QsDfsKKALOUBRll/FGA94 NXQXw2gY6kD1BjiQZ/Y/zet6XWyVC1i6DALTKprTDnvNZppknmtIlJ0q5j6BXhvJ U8bi0fk3qVL5xcFaB4/DNSKKmukQhsdrw8O7WadMSDZf2ZNKcEAGnCMWk5lGCRCZ LueyBkWnyRLRLoZ1S/EZiw8G1EuYO3H4072Ri/uePkCcrzSkhMrCmELFG5bptKVK s1xZjgFKbeNisns9RHTswvKOBV5nPDv+YhesJALTH7bcifpWrqQYEh9QojgoL1c= =ErLz -----END PGP SIGNATURE-----
--- End Message ---
