Your message dated Wed, 21 Nov 2012 23:02:13 +0000 with message-id <e1tbjj7-0001m2...@franck.debian.org> and subject line Bug#692775: fixed in typo3-src 4.3.9+dfsg1-1+squeeze7 has caused the Debian Bug report #692775, regarding TYPO3-CORE-SA-2012-005: Several Vulnerabilities in TYPO3 Core to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 692775: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692775 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: typo3-src Severity: critical Tags: security It has been discovered that TYPO3 Core is vulnerable to SQL Injection, Information Disclosure and Cross-Site Scripting Component Type: TYPO3 Core Affected Versions: 4.5.0 up to 4.5.20, 4.6.0 up to 4.6.13, 4.7.0 up to 4.7.5 and development releases of the 6.0 branch. Vulnerability Types: SQL Injection, Cross-Site Scripting, Information Disclosure Overall Severity: Medium Release Date: November 8, 2012 Vulnerable subcomponent: TYPO3 Backend History Module Vulnerability Type: SQL Injection, Cross-Site Scripting Severity: Medium Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:C/I:C/A:N/E:F/RL:O/RC:C Problem Description: Due to missing encoding of user input, the history module is susceptible to SQL Injection and Cross-Site Scripting. A valid backend login is required to exploit this vulnerability. Vulnerability Type: Information Disclosure Severity: Low Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:P/I:N/A:N/E:F/RL:O/RC:C Problem Description: Due to a missing access check, regular editors could see the history view of arbitrary records, only by forging a proper URL for the History Module. A valid backend login is required to exploit this vulnerability. Vulnerable subcomponent: TYPO3 Backend API Vulnerability Type: Cross-Site Scripting Severity: Low Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:N/I:P/A:N/E:F/RL:O/RC:C Problem Description: Failing to properly HTML-encode user input the tree render API (TCA-Tree) is susceptible to Cross-Site Scripting. TYPO3 Versions below 6.0 does not make us of this API, thus is not exploitable, if no third party extension is installed which uses this API. A valid backend login is required to exploit this vulnerability. Vulnerability Type: Cross-Site Scripting Severity: Low Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:N/I:P/A:N/E:P/RL:O/RC:C Problem Description: Failing to properly encode user input, the function menu API is susceptible to Cross-Site Scripting. A valid backend login is required to exploit this vulnerability. -- MfG, Christian Welzel GPG-Key: http://www.camlann.de/de/pgpkey.html Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15
--- End Message ---
--- Begin Message ---Source: typo3-src Source-Version: 4.3.9+dfsg1-1+squeeze7 We believe that the bug you reported is fixed in the latest version of typo3-src, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 692...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Christian Welzel <gaw...@camlann.de> (supplier of updated typo3-src package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Sat, 10 Nov 2012 18:30:00 +0100 Source: typo3-src Binary: typo3-src-4.3 typo3-database typo3 Architecture: source all Version: 4.3.9+dfsg1-1+squeeze7 Distribution: squeeze-security Urgency: medium Maintainer: Christian Welzel <gaw...@camlann.de> Changed-By: Christian Welzel <gaw...@camlann.de> Description: typo3 - The enterprise level open source WebCMS (Meta) typo3-database - TYPO3 - The enterprise level open source WebCMS (Database) typo3-src-4.3 - TYPO3 - The enterprise level open source WebCMS (Core) Closes: 692775 Changes: typo3-src (4.3.9+dfsg1-1+squeeze7) squeeze-security; urgency=medium . * Security patch backported from new upstream release 4.5.21 and 4.5.22: - fixes: "TYPO3 Security Bulletin TYPO3-CORE-SA-2012-005: Several Vulnerabilities in TYPO3 Core" (Closes: 692775) Checksums-Sha1: b37f61a7881d8b02fa27d5706c94fd71b5c0c710 1400 typo3-src_4.3.9+dfsg1-1+squeeze7.dsc 88e118e368ad8de183065ad3bdf5d3fe19e4c438 143119 typo3-src_4.3.9+dfsg1-1+squeeze7.debian.tar.gz 69e07c6d0386253bc8b267d4544374b758550825 11294668 typo3-src-4.3_4.3.9+dfsg1-1+squeeze7_all.deb eef2441a468a2fdb32fe844f043bc8b8d9bcc4cb 201588 typo3-database_4.3.9+dfsg1-1+squeeze7_all.deb b4401c57b610df57966bda9418de7f442cc43aad 1258 typo3_4.3.9+dfsg1-1+squeeze7_all.deb Checksums-Sha256: ab71a2e1fce6de04c582f0bcd476563bc64f02e66d0f999ae221bd908cab2fe4 1400 typo3-src_4.3.9+dfsg1-1+squeeze7.dsc 0517722644ed389dd016b354add52822a3cfdb26438805eec87c77a979d94114 143119 typo3-src_4.3.9+dfsg1-1+squeeze7.debian.tar.gz 92d6f201b7d80d6dd6b8177d267f63bd026725af1ce1b7a1c454bcfa71a3ec6b 11294668 typo3-src-4.3_4.3.9+dfsg1-1+squeeze7_all.deb 0f1717c23cbc18f17beadbfc63e52cbbae22b065814f9c9cff09d67691caa254 201588 typo3-database_4.3.9+dfsg1-1+squeeze7_all.deb 30a5c9eaa7a782f2ccaccd08a0d25ab8f2ec9394abad9e341dc5dcebac987299 1258 typo3_4.3.9+dfsg1-1+squeeze7_all.deb Files: 55e79bd1790683aeac3e13a2c2c0d6fb 1400 web optional typo3-src_4.3.9+dfsg1-1+squeeze7.dsc 402dfeb0905f6980af70a4b915ae807c 143119 web optional typo3-src_4.3.9+dfsg1-1+squeeze7.debian.tar.gz 563d890cc3b694476119c8bf3e33cce6 11294668 web optional typo3-src-4.3_4.3.9+dfsg1-1+squeeze7_all.deb 458bbe03ded6f560bcedc51d83c467e9 201588 web optional typo3-database_4.3.9+dfsg1-1+squeeze7_all.deb 3bed572c50ae6edd0300da701710dfbd 1258 web optional typo3_4.3.9+dfsg1-1+squeeze7_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQpVtxAAoJEL97/wQC1SS+9CkH/A/kHOcaN98lv0OSothh8gXo /QFCZAbRC1CizeEtRI/N4ZMVDAc9fNExB2MPYL633WCXChQP/hQjN1N6ktxhLCKC lSBF/DYW0WkfFVrvj5pJfvRyGTd1100XE/0a0ZJ9bDxJXbrSxnfDvJKDJtUKoC9Q wHmyP0DRHbO9FKeUYFf64vr0fjpWbH7DuSzyoxelvYLMezjr6/jV0j56cSZQ8e1v KdGzTlQ1fYGvGgrZaAYCBwhX80Xg4nAHdNdmyrN5JHkINMrhLTebVJjUNyYuXL18 sSWnphmirch5z7n3dF/HRXiFsxRiva3JM/etmtyG5/6WJgX3Y2egvXBhjZzURgc= =1EXZ -----END PGP SIGNATURE-----
--- End Message ---
