Your message dated Sun, 25 May 2014 09:41:34 +0000 with message-id <e1wouvu-0000qy...@franck.debian.org> and subject line Bug#749215: fixed in typo3-src 4.5.34+dfsg1-1 has caused the Debian Bug report #749215, regarding TYPO3-CORE-SA-2014-001: Multiple Vulnerabilities in TYPO3 CMS to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 749215: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=749215 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: typo3-src Severity: critical Tags: security It has been discovered that TYPO3 CMS is vulnerable to Cross-Site Scripting, Insecure Unserialize, Improper Session Invalidation, Authentication Bypass, Information Disclosure and Host Spoofing. Component Type: TYPO3 CMS Overall Severity: Medium Release Date: May 22, 2014 Vulnerability Type: Host Spoofing Affected Versions: Versions 4.5.0 to 4.5.33, 4.7.0 to 4.7.18, 6.0.0 to 6.0.13, 6.1.0 to 6.1.8 and 6.2.0 to 6.2.2 Severity: Medium CVE: not assigned yet Problem Description: Failing to properly validate the HTTP host-header TYPO3 CMS is susceptible to host spoofing. TYPO3 uses the HTTP host-header to generate absolute URLs in several places like 404 handling, http(s) enforcement, password reset links and many more. Since the host header itself is provided by the client it can be forged to any value, even in a name based virtual hosts environment. A blog post describes this problem in great detail. Vulnerable subcomponent: Color Picker Wizard Vulnerability Type: Insecure Unserialize Affected Versions: Versions 4.5.0 to 4.5.33, 4.7.0 to 4.7.18, 6.0.0 to 6.0.13 and 6.1.0 to 6.1.8 Severity: Low CVE: not assigned yet Problem Description: Failing to validate authenticity of a passed serialized string, the color picker wizard is susceptible to insecure unserialize, allowing authenticated editors to unserialize arbitrary PHP objects. Vulnerable subcomponent: Backend Vulnerability Type: Cross-Site Scripting Affected Versions: Versions 4.5.0 to 4.5.33, 4.7.0 to 4.7.18, 6.0.0 to 6.0.13, 6.1.0 to 6.1.8 and 6.2.0 to 6.2.2 Severity: Low CVE: not assigned yet Problem Description: Failing to properly encode user input, several backend components are susceptible to Cross-Site Scripting, allowing authenticated editors to inject arbitrary HTML or JavaScript by crafting URL parameters. Vulnerable subcomponent: ExtJS Vulnerability Type: Cross-Site Scripting Affected Versions: Versions 4.5.0 to 4.5.33, 4.7.0 to 4.7.18, 6.0.0 to 6.0.13, 6.1.0 to 6.1.8 and 6.2.0 to 6.2.2 Severity: Medium CVE: not assigned yet Problem Description: The ExtJS JavaScript framework that is shipped with TYPO3 also delivers a flash file to show charts. This file is susceptible to Cross-Site Scripting. This vulnerability can be exploited without any authentication. Vulnerable subcomponent: Authentication Vulnerability Type: Authentication Bypass Affected Versions: All TYPO3 versions not configured to use salted passwords Severity: medium CVE: not assigned yet Problem Description: When the use of salted password is disabled (which is enabled by default since TYPO3 4.6 and required since TYPO3 6.2) passwords for backend access are stored as md5 hash in the database. This hash (e.g. taken from a successful SQL injection) can be used directly to authenticate backend users without knowing or reverse engineering the password. -- MfG, Christian Welzel GPG-Key: pub 4096R/5117E119 2011-09-19 Fingerprint: 3688 337C 0D3E 3725 94EC E401 8D52 CDE9 5117 E119
--- End Message ---
--- Begin Message ---Source: typo3-src Source-Version: 4.5.34+dfsg1-1 We believe that the bug you reported is fixed in the latest version of typo3-src, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 749...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Christian Welzel <gaw...@camlann.de> (supplier of updated typo3-src package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 25 May 2014 10:00:00 +0200 Source: typo3-src Binary: typo3-src-4.5 typo3-database typo3-dummy typo3 Architecture: source all Version: 4.5.34+dfsg1-1 Distribution: unstable Urgency: high Maintainer: Christian Welzel <gaw...@camlann.de> Changed-By: Christian Welzel <gaw...@camlann.de> Description: typo3 - web content management system (meta) typo3-database - web content management system (database) typo3-dummy - web content management system (basic site structure) typo3-src-4.5 - web content management system (core) Closes: 749215 Changes: typo3-src (4.5.34+dfsg1-1) unstable; urgency=high . * New upstream release: - fixes: "TYPO3-CORE-SA-2014-001: Multiple Vulnerabilities in TYPO3 CMS" (Closes: #749215) Checksums-Sha1: cac7d511a4d763380095f53b80f63e1de0485cb4 2033 typo3-src_4.5.34+dfsg1-1.dsc 5a3be0d55ea1d53ef262d3e6f49fc2423b132498 20365342 typo3-src_4.5.34+dfsg1.orig.tar.gz 8f55510a72829f6ea35d642fefe42ddac7175563 404937 typo3-src_4.5.34+dfsg1-1.debian.tar.gz 5a3654190fa56ecd323b278a20071a99f949596a 20255728 typo3-src-4.5_4.5.34+dfsg1-1_all.deb 22f55bb8870bfc32251b9bddfaa45fb3cd3e0158 374926 typo3-database_4.5.34+dfsg1-1_all.deb 406833a3e7bfe48dae524429386abbfb289d553f 383604 typo3-dummy_4.5.34+dfsg1-1_all.deb f290c00b2cd7e07a4e859ce2afb5788d08cbeffe 1386 typo3_4.5.34+dfsg1-1_all.deb Checksums-Sha256: ab7bb7882b80b78e05727f1e113998a620e16ee58f715cdd7310477b18f48f8d 2033 typo3-src_4.5.34+dfsg1-1.dsc b244227e6cbb0ca9a0d6b29c071c8b95b4785641f0aec2c4916d7066311e589f 20365342 typo3-src_4.5.34+dfsg1.orig.tar.gz 9cfb8bb790fa40ce6a65738215d32b23b2258c7c3b1773c97aa6223b2817eb3e 404937 typo3-src_4.5.34+dfsg1-1.debian.tar.gz 25c1abaa54c7a09cdec84cb54ef900daf37f76f7ba4b3df9932f3977be0ce22e 20255728 typo3-src-4.5_4.5.34+dfsg1-1_all.deb 6f5bc5efe5c61ef35e83e62d9007eed59b27c046fb901b7db25d7da38b4f2791 374926 typo3-database_4.5.34+dfsg1-1_all.deb 4fbdc956f7b3b80e502bb94165a1b7198bbf1412b352095102f4215836a5aed0 383604 typo3-dummy_4.5.34+dfsg1-1_all.deb 216a4cdb799e854337628dbab37b8d25b5b3a7e7e686d99ea21c0ca27cadcfc4 1386 typo3_4.5.34+dfsg1-1_all.deb Files: 8df9d25920828de45e01d9ba19a33da5 2033 web optional typo3-src_4.5.34+dfsg1-1.dsc d212bd129b00169246351e60dfcc2332 20365342 web optional typo3-src_4.5.34+dfsg1.orig.tar.gz b636232f754d876f41a9b98cdb38365b 404937 web optional typo3-src_4.5.34+dfsg1-1.debian.tar.gz f192b0ec31214345e04a5b974244aedf 20255728 web optional typo3-src-4.5_4.5.34+dfsg1-1_all.deb a5e35650ed568644775e375f8ef4d6f7 374926 web optional typo3-database_4.5.34+dfsg1-1_all.deb e82dfb74c94221ba77ce3242f73c119c 383604 web optional typo3-dummy_4.5.34+dfsg1-1_all.deb 8b68d59ec75b006d4ad547c515c0e3bb 1386 web optional typo3_4.5.34+dfsg1-1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIVAwUBU4Gwh41SzelRF+EZAQohMhAAhvyvPWGjukSUZns7syhf3PUMf0NO0L29 t3oaQXDE349aa7yTPmLIJnTgxUP5tCvUuyDePfI/io1pQKQ1t/y6LBuRitNmcI7P 7RRf9n4CIZsg6+Z47njxTdF7gpZaZI27HdfP4IvrsKejJ73z5kqDcgBrz3XzkNlV LbRzx9BX+aXUBBMmuV8Jxx9flOXZr12X4jRnjKU3uYrry0U/sT8xUU+Tb+H5/+xc 8BDLXUBWKQutjnTzTrHGtiB2HFjfnUffj2/vvrmEDJc1Y83OUXDF8kpxetlemGul aZixARnaLpNJkZFAL64ShGCjzUxz62AUfZxZigNwvF/MkKMhXxQiLQiDpXdI1+cp OTEiGZWy2A+izTxSRcpQ6cd6CiW0gDmKeIGnjeOviDlWw8wzH+6Pu39zNJT2USU+ eG+3mGbQEvfYcpRqE1oRmaFLXHZ0jsWZOF0kT8AHvn6v9BV9Caiey+NrcIQy3pCK PGrHkhxk3hblbLzfUkvXj+/EUe3iqF3CLb/xfA1vJgfAR6LzzXZHu1cM9R2LELC7 yac9mbapfFvDRa/WeUm+hU+tax7LllXoVrq8GiVUScXZ7gJtCV3UiEh9ZArZkjMF xwME8NI1g4nNKDv8868EiJ4GVxt/JgGPBPG88LPoJjDhDBYAiyLSex02okOD/M89 hmbhg4PvrOw= =gTms -----END PGP SIGNATURE-----
--- End Message ---
