Bug#720194: marked as done (TYPO3-CORE-SA-2013-002: Cross-Site Scripting and Remote Code Execution Vulnerability in TYPO3 Core)

Debian Bug Tracking System Sat, 12 Oct 2013 14:22:20 -0700

Your message dated Sat, 12 Oct 2013 21:17:07 +0000
with message-id <e1vv6yd-00019w...@franck.debian.org>
and subject line Bug#720194: fixed in typo3-src 4.5.19+dfsg1-5+wheezy1
has caused the Debian Bug report #720194,
regarding TYPO3-CORE-SA-2013-002: Cross-Site Scripting and Remote Code 
Execution Vulnerability in TYPO3 Core
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
720194: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=720194
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: typo3-src
Severity: critical
Tags: security


It has been discovered that TYPO3 Core is vulnerable to Cross-Site
Scripting and Remote Code Execution

Component Type: TYPO3 Core
Vulnerability Types: Cross-Site Scripting, Remote Code Execution
Overall Severity: Critical
Release Date: July 30, 2013




Vulnerable subcomponent: Third Party Libraries used for audio and video
playback


Vulnerability Type: Cross-Site Scripting
Affected Versions: All versions from 4.5.0 up to the development branch
of 6.2
Severity: Medium
Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:O/RC:C
Related CVEs: CVE-2011-3642, CVE-2013-1464
Problem Description: TYPO3 bundles flash files for video and audio
playback. Old versions of FlowPlayer and flashmedia are susceptible to
Cross-Site Scripting. No authentication is required to exploit this
vulnerability.



Vulnerable subcomponent: Backend File Upload / File Abstraction Layer

(This module is not part of the TYPO3 version in debian!)

Vulnerability Type: Remote Code Execution by arbitrary file creation
Affected Versions: All versions from 6.0.0 up to the development branch
of 6.2
Severity: Critical
Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:C/I:C/A:C/E:F/RL:O/RC:C
CVE: CVE-2013-4250


-- 
 MfG, Christian Welzel

  GPG-Key:     pub 4096R/5117E119 2011-09-19
  Fingerprint: 3688 337C 0D3E 3725 94EC  E401 8D52 CDE9 5117 E119

--- End Message ---

--- Begin Message ---

Source: typo3-src
Source-Version: 4.5.19+dfsg1-5+wheezy1

We believe that the bug you reported is fixed in the latest version of
typo3-src, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 720...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christian Welzel <gaw...@camlann.de> (supplier of updated typo3-src package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 12 Sep 2013 22:02:05 +0200
Source: typo3-src
Binary: typo3-src-4.5 typo3-database typo3-dummy typo3
Architecture: source all
Version: 4.5.19+dfsg1-5+wheezy1
Distribution: wheezy-security
Urgency: medium
Maintainer: Christian Welzel <gaw...@camlann.de>
Changed-By: Christian Welzel <gaw...@camlann.de>
Description: 
 typo3      - web content management system (meta)
 typo3-database - web content management system (database)
 typo3-dummy - web content management system (basic site structure)
 typo3-src-4.5 - web content management system (core)
Closes: 720194
Changes: 
 typo3-src (4.5.19+dfsg1-5+wheezy1) wheezy-security; urgency=medium
 .
   * Added patch for TYPO3-CORE-SA-2013-002. (Closes: #720194)
     - change flash audio player to new version 2.0.4.6
     - Import of sources of 2.0.4.6 of 1pixelout audio player from
       http://subversion.assembla.com/svn/1pixelout/audio-player/tags/2.0.4.6
     - Changed audio player license (GPL-2 -> MIT)
   * Set patch level version to -pl.4.5.29.
Checksums-Sha1: 
 190f87533a17edaee562edf4eb55958af5998e8e 1456 
typo3-src_4.5.19+dfsg1-5+wheezy1.dsc
 ed5be0a77370a357261ea1269bf5fd38f16b9c79 20191202 
typo3-src_4.5.19+dfsg1.orig.tar.gz
 906a8abb95026a18e66686195dde8b66c8d0a0df 422283 
typo3-src_4.5.19+dfsg1-5+wheezy1.debian.tar.gz
 568e61ce240236d3cc822e3726abc14c9b56e422 20087584 
typo3-src-4.5_4.5.19+dfsg1-5+wheezy1_all.deb
 6ef3250df39bdc178cc422ab8050c4cd19407a79 283214 
typo3-database_4.5.19+dfsg1-5+wheezy1_all.deb
 34e26fdea93a1a4f52a630e4849dfbd8defdc007 290272 
typo3-dummy_4.5.19+dfsg1-5+wheezy1_all.deb
 5c477052f33edeb77eae2e3a3e3612c9a245bb6f 1392 
typo3_4.5.19+dfsg1-5+wheezy1_all.deb
Checksums-Sha256: 
 f7fb23719dea718738b86cf038417eb1b0b403f6311f29845bcc278b41b9eabe 1456 
typo3-src_4.5.19+dfsg1-5+wheezy1.dsc
 f70e438647d69d4fce4b34d09043e3225311e1b418d312f2ff5ba541494e366e 20191202 
typo3-src_4.5.19+dfsg1.orig.tar.gz
 fe36faa94cb8e4300d2096c6f223f685c045f79f3db5efe682945caf8b4dc18c 422283 
typo3-src_4.5.19+dfsg1-5+wheezy1.debian.tar.gz
 596d693d3c71b462a5298ce1341e05387bb2108d646c43abd8940ae55760c010 20087584 
typo3-src-4.5_4.5.19+dfsg1-5+wheezy1_all.deb
 0fd4daff7d6cc00420e1ce14a1478c52ff3e2ff353d6f3b58e78fe3f70531e33 283214 
typo3-database_4.5.19+dfsg1-5+wheezy1_all.deb
 3f3fd18ac4f22a55beefdfdd96e07891ef6ff8d1950d59788eac52c2acfa12c6 290272 
typo3-dummy_4.5.19+dfsg1-5+wheezy1_all.deb
 1fb5aac0ea0589ae4a45f48dcf21ae0983abf039e9fc0c2d317ce87e6e2b6e8b 1392 
typo3_4.5.19+dfsg1-5+wheezy1_all.deb
Files: 
 aae8f15e841f680aaa1ab82cc288d8c9 1456 web optional 
typo3-src_4.5.19+dfsg1-5+wheezy1.dsc
 14ba987b34e6a3decab0004b42083fb6 20191202 web optional 
typo3-src_4.5.19+dfsg1.orig.tar.gz
 7475883a624e9f9a56ede8fc2c71f47d 422283 web optional 
typo3-src_4.5.19+dfsg1-5+wheezy1.debian.tar.gz
 f6a8185d65bdf298ad89e81e1b2d77c7 20087584 web optional 
typo3-src-4.5_4.5.19+dfsg1-5+wheezy1_all.deb
 8383a1c6db80fbb27a6528d015a6f5cc 283214 web optional 
typo3-database_4.5.19+dfsg1-5+wheezy1_all.deb
 0d09f08f8609fe50e8ae9e2383d87275 290272 web optional 
typo3-dummy_4.5.19+dfsg1-5+wheezy1_all.deb
 36575289e829f9b213ff0881f5b1a7e2 1392 web optional 
typo3_4.5.19+dfsg1-5+wheezy1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlJAbRkACgkQXm3vHE4uyloNdQCfTcVL5rv22dFniWqaYTgi+mcs
3JkAoKvCnnADt9186P2ZABH34+9HPRXA
=tTil
-----END PGP SIGNATURE-----

--- End Message ---

Bug#720194: marked as done (TYPO3-CORE-SA-2013-002: Cross-Site Scripting and Remote Code Execution Vulnerability in TYPO3 Core)

Reply via email to