Your message dated Thu, 22 Aug 2013 07:48:56 +0000 with message-id <e1vcpdy-00058t...@franck.debian.org> and subject line Bug#720194: fixed in typo3-src 4.5.29+dfsg1-1 has caused the Debian Bug report #720194, regarding TYPO3-CORE-SA-2013-002: Cross-Site Scripting and Remote Code Execution Vulnerability in TYPO3 Core to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 720194: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=720194 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: typo3-src Severity: critical Tags: security It has been discovered that TYPO3 Core is vulnerable to Cross-Site Scripting and Remote Code Execution Component Type: TYPO3 Core Vulnerability Types: Cross-Site Scripting, Remote Code Execution Overall Severity: Critical Release Date: July 30, 2013 Vulnerable subcomponent: Third Party Libraries used for audio and video playback Vulnerability Type: Cross-Site Scripting Affected Versions: All versions from 4.5.0 up to the development branch of 6.2 Severity: Medium Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:O/RC:C Related CVEs: CVE-2011-3642, CVE-2013-1464 Problem Description: TYPO3 bundles flash files for video and audio playback. Old versions of FlowPlayer and flashmedia are susceptible to Cross-Site Scripting. No authentication is required to exploit this vulnerability. Vulnerable subcomponent: Backend File Upload / File Abstraction Layer (This module is not part of the TYPO3 version in debian!) Vulnerability Type: Remote Code Execution by arbitrary file creation Affected Versions: All versions from 6.0.0 up to the development branch of 6.2 Severity: Critical Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:C/I:C/A:C/E:F/RL:O/RC:C CVE: CVE-2013-4250 -- MfG, Christian Welzel GPG-Key: pub 4096R/5117E119 2011-09-19 Fingerprint: 3688 337C 0D3E 3725 94EC E401 8D52 CDE9 5117 E119
--- End Message ---
--- Begin Message ---Source: typo3-src Source-Version: 4.5.29+dfsg1-1 We believe that the bug you reported is fixed in the latest version of typo3-src, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 720...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Christian Welzel <gaw...@camlann.de> (supplier of updated typo3-src package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 21 Aug 2013 22:08:14 +0200 Source: typo3-src Binary: typo3-src-4.5 typo3-database typo3-dummy typo3 Architecture: source all Version: 4.5.29+dfsg1-1 Distribution: unstable Urgency: medium Maintainer: Christian Welzel <gaw...@camlann.de> Changed-By: Christian Welzel <gaw...@camlann.de> Description: typo3 - web content management system (meta) typo3-database - web content management system (database) typo3-dummy - web content management system (basic site structure) typo3-src-4.5 - web content management system (core) Closes: 720194 Changes: typo3-src (4.5.29+dfsg1-1) unstable; urgency=medium . * New upstream release: - fixes: "TYPO3-CORE-SA-2013-002: Cross-Site Scripting and Remote Code Execution Vulnerability in TYPO3 Core" (Closes: 720194) * Import of sources of 2.0.4.6 of 1pixelout audio player from http://subversion.assembla.com/svn/1pixelout/audio-player/tags/2.0.4.6. * Changed audio player license (GPL-2 -> MIT). Checksums-Sha1: 3bf00dc91aefb69d539e5827171e5b9589c6f77f 2033 typo3-src_4.5.29+dfsg1-1.dsc ef931f78c7980ed81898490caa301d23f3f2087e 20361786 typo3-src_4.5.29+dfsg1.orig.tar.gz e38896e42f5d8dedee4da9b74c616cc75551a5ef 404694 typo3-src_4.5.29+dfsg1-1.debian.tar.gz 737afa411f85fafcdbb16f21d0774709aaa7a2da 20244482 typo3-src-4.5_4.5.29+dfsg1-1_all.deb 0087bf25850e454c71ab88b3957ff48ab69fc33e 372356 typo3-database_4.5.29+dfsg1-1_all.deb 6fb6036db8366e3c555063c6a6cb07249658eadd 380980 typo3-dummy_4.5.29+dfsg1-1_all.deb 9bbfdfc44722ecb683eafca3308edf1d8ab6b267 1384 typo3_4.5.29+dfsg1-1_all.deb Checksums-Sha256: 99020c1846044e1a82a6c2245968b05c216b62a47331a98cd8bee6946c59e22e 2033 typo3-src_4.5.29+dfsg1-1.dsc fb2db288175cf042b5a85744ff58b7bcf39f0f3b64f9ed159811a10abebf008a 20361786 typo3-src_4.5.29+dfsg1.orig.tar.gz 3d3b7bbd829f43d5b05ada730ffa0a0396835ada7bf4d729030253812ecb9907 404694 typo3-src_4.5.29+dfsg1-1.debian.tar.gz 630dbd31e8f5f5a4ccefc65034488508ef3dce893b048602ca444a5fff936cb4 20244482 typo3-src-4.5_4.5.29+dfsg1-1_all.deb abebd0e2d9795b6c47a578a5a6cae843ccf0bcdb113183aae59251d1aa0abb25 372356 typo3-database_4.5.29+dfsg1-1_all.deb a1d82410e064f9aef5591e9f91ee990dc28d2bb1d38429d438af354518039e13 380980 typo3-dummy_4.5.29+dfsg1-1_all.deb 9cb90323c4be1501784cc50cac732fd07d354fa9f1f12ec456e6efbfd00aa929 1384 typo3_4.5.29+dfsg1-1_all.deb Files: bb87fbc38ab26980e4569e0ca8beaaa9 2033 web optional typo3-src_4.5.29+dfsg1-1.dsc c7254132051409e8865ecbc8ce0092ac 20361786 web optional typo3-src_4.5.29+dfsg1.orig.tar.gz 0cb61abf19c67d40a390b6959cde2231 404694 web optional typo3-src_4.5.29+dfsg1-1.debian.tar.gz a636572e3f3b43208deab14c980bed5b 20244482 web optional typo3-src-4.5_4.5.29+dfsg1-1_all.deb e9be1b348d46c74af68b49151d1cbf97 372356 web optional typo3-database_4.5.29+dfsg1-1_all.deb c764322e34d987627fac750e7f3fb34a 380980 web optional typo3-dummy_4.5.29+dfsg1-1_all.deb 1a76a85e8ed326c90db9a18b791cd6ed 1384 web optional typo3_4.5.29+dfsg1-1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIVAwUBUhW9h41SzelRF+EZAQpCzQ//UD100meaRPkzFy8JeuCq1aNoaYGZGRCu hLw31xpRI56b5SYQt0sA5Up1BUm2szG7NQXBDPDhkRgUNi9rkrnKcCBA5wvyo8gp HN+SYw1YnZ7rezF9zKFR+89D+cArOZ9//izt7qgezMtlJGi8AKAkP+KnKbnTZwUi Zo6XXf9rT8JAAA//nD10zMmk3HPuaHw2BXdHJRROOwHZzg8+WY2nIBxdAoQlJd72 EUpfRO4mYxZTL5xdtJErOjdk8wd5xZBiuL8zsFTYU6DRuV/QvqozWzJ3ODfo0Enq SQ/MOgMTUpJkzT5zMIlE4zX4ApwHVPeJ5Xvk2cWACkIqfpu58EXApRU72amt/bkd G4OsAGh0ru5mFrMRUwmtjFMiyf/yLnpUGcS3/cAbjHw/d03R2P/yYOaIoDliQZXj S3QuxkicLA6O9Vt7IYmGFGw1AMc3VsWvfelnkGfpkz2tl4LFqThd1O0ESyI7DdSe 3IgCOWi4MI+1kFtYTOrauQeepCXwVlRLgjWbQLLvAv6eCktWJbdUSFk48A1I0JPZ MreftybYgPJ07ih73PDGWTfdmznOAmguxg1akoZQUMvq2pCFC4Y84H118g60VwkC YbqM5/qOj6pM2F0uxn4HbIxQI7eE53XyN3ZRWasr0u+Z58Js54p4YxHKtHTyCLz1 yqEw2DWtXnY= =liNZ -----END PGP SIGNATURE-----
--- End Message ---
