Does this look reasonable?
<vuln vid="cf36b6a1-7d08-11e1-b720-000c2994762c">
<topic>Typo3 - Cross-Site Scripting, Information Disclosure, Insecure
Unserialize</topic>
<affects>
<package>
<name>typo3</name>
<range><ge>4.6</ge><le>4.6.6</le></range>
</package>
<package>
<name>typo345</name>
<range><ge>4.5</ge><le>4.5.13</le></range>
</package>
<package>
<name>typo344</name>
<range><ge>4.4</ge><le>4.4.13</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml";>
<p>The typo3 security team reports:</p>
<blockquote
cite="https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2012-001/";>
<p>Due to a missing signature (HMAC) for a request argument, an
attacker could unserialize arbitrary objects within TYPO3.</p>
<p>Failing to properly HTML-encode user input in several places,
the TYPO3 backend is susceptible to Cross-Site Scripting. A valid backend
user is required to exploit these vulnerabilities.</p>
<p>Accessing a CLI Script directly with a browser may disclose the
database name used for the TYPO3 installation.</p>
<p>By not removing non printable characters, the API method
t3lib_div::RemoveXSS() fails to filter specially crafted HTML injections,
thus is susceptible to Cross-Site Scripting.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-1605</cvename>
<cvename>CVE-2012-1606</cvename>
<cvename>CVE-2012-1607</cvename>
<cvename>CVE-2012-1608</cvename>
<url>https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2012-001/</url>
</references>
<dates>
<discovery>2012-03-28</discovery>
</dates>
</vuln>
--------------------------------------------------
From: "Ruslan Mahmatkhanov" <[email protected]>
Sent: Friday, March 30, 2012 9:07 AM
To: "Jason Helfman" <[email protected]>
Cc: <[email protected]>; <[email protected]>;
<[email protected]>; "Helmut Schneider" <[email protected]>
Subject: Re: cvs commit: ports/www/typo345 Makefile distinfo pkg-descr
Jason Helfman wrote on 30.03.2012 10:30:
On Thu, Mar 29, 2012 at 11:21 AM, Ruslan
Mahmatkhanov<[email protected]>wrote:
rm 2012-03-29 18:21:21 UTC
FreeBSD ports repository
Modified files:
www/typo345 Makefile distinfo pkg-descr
Log:
- update to 4.5.14
See
https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2012-001/
PR: 166467
http://www.FreeBSD.org/cgi/query-pr.cgi?pr=166467
Submitted by: Helmut Schneider<jumper99 at gmx dot de> (maintainer)
Feature safe: yes
Revision Changes Path
1.60 +1 -1 ports/www/typo345/Makefile
1.42 +4 -4 ports/www/typo345/distinfo
1.7 +1 -1 ports/www/typo345/pkg-descr
http://www.FreeBSD.org/cgi/cvsweb.cgi/ports/www/typo345/Makefile.diff?&r1=1.59&r2=1.60&f=h
http://www.FreeBSD.org/cgi/cvsweb.cgi/ports/www/typo345/distinfo.diff?&r1=1.41&r2=1.42&f=h
http://www.FreeBSD.org/cgi/cvsweb.cgi/ports/www/typo345/pkg-descr.diff?&r1=1.6&r2=1.7&f=h
Are there any plans to document these updates in vuxml?
-jgh
No, I haven't. Helmut, would you?
--
Regards,
Ruslan
Tinderboxing kills... the drives.
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "[email protected]"
