Your message dated Tue, 27 Sep 2011 01:56:23 +0000
with message-id <[email protected]>
and subject line Bug#641683: fixed in typo3-src 4.3.9+dfsg1-1+squeeze2
has caused the Debian Bug report #641683,
regarding TYPO3 Security Bulletin TYPO3-CORE-SA-2011-003: Improper error
handling could lead to cache flooding in TYPO3 Core
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
641683: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=641683
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: typo3-src
Severity: critical
Tags: security
Component Type: TYPO3 Core
Affected Versions: 4.2.0-4.2.17, 4.3.0-4.3.13, 4.5.0-4.5.5
Release Date: September 14, 2011
Vulnerable subcomponent: Caching System
Vulnerability Type: Improper error handling
Severity: Medium
Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C
Problem Description: When configured to explicitly deny cache disabling
through an URL parameter
($TYPO3_CONF_VARS['FE']['disableNoCacheParameter']), TYPO3 fails to
disable caching when an invalid cache hash URL parameter (cHash) is
provided. This allows an attacker to easily flood the caching tables of
TYPO3.
--
MfG, Christian Welzel
GPG-Key: http://www.camlann.de/de/pgpkey.html
Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15
--- End Message ---
--- Begin Message ---
Source: typo3-src
Source-Version: 4.3.9+dfsg1-1+squeeze2
We believe that the bug you reported is fixed in the latest version of
typo3-src, which is due to be installed in the Debian FTP archive:
typo3-database_4.3.9+dfsg1-1+squeeze2_all.deb
to main/t/typo3-src/typo3-database_4.3.9+dfsg1-1+squeeze2_all.deb
typo3-src-4.3_4.3.9+dfsg1-1+squeeze2_all.deb
to main/t/typo3-src/typo3-src-4.3_4.3.9+dfsg1-1+squeeze2_all.deb
typo3-src_4.3.9+dfsg1-1+squeeze2.debian.tar.gz
to main/t/typo3-src/typo3-src_4.3.9+dfsg1-1+squeeze2.debian.tar.gz
typo3-src_4.3.9+dfsg1-1+squeeze2.dsc
to main/t/typo3-src/typo3-src_4.3.9+dfsg1-1+squeeze2.dsc
typo3_4.3.9+dfsg1-1+squeeze2_all.deb
to main/t/typo3-src/typo3_4.3.9+dfsg1-1+squeeze2_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christian Welzel <[email protected]> (supplier of updated typo3-src package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 15 Sep 2011 11:00:00 +0100
Source: typo3-src
Binary: typo3-src-4.3 typo3-database typo3
Architecture: source all
Version: 4.3.9+dfsg1-1+squeeze2
Distribution: stable-proposed-updates
Urgency: high
Maintainer: Christian Welzel <[email protected]>
Changed-By: Christian Welzel <[email protected]>
Description:
typo3 - The enterprise level open source WebCMS (Meta)
typo3-database - TYPO3 - The enterprise level open source WebCMS (Database)
typo3-src-4.3 - TYPO3 - The enterprise level open source WebCMS (Core)
Closes: 641683
Changes:
typo3-src (4.3.9+dfsg1-1+squeeze2) stable-proposed-updates; urgency=high
.
* Security patch from new upstream release 4.3.14:
- fixes: "TYPO3 Security Bulletin TYPO3-CORE-SA-2011-003: Improper error
handling could lead to cache flooding in TYPO3 Core" (Closes: 641683)
Checksums-Sha1:
ee4fa60093b9ac282ec14dee1db735d0bafffebb 1100
typo3-src_4.3.9+dfsg1-1+squeeze2.dsc
45f8409be55195cd0aff2f94d25688b6fc8da946 129619
typo3-src_4.3.9+dfsg1-1+squeeze2.debian.tar.gz
c580b0e01984c262ce18fadf8db91a840810dca0 11282988
typo3-src-4.3_4.3.9+dfsg1-1+squeeze2_all.deb
24d308f095fea7dd488c69f247419913535eb332 202576
typo3-database_4.3.9+dfsg1-1+squeeze2_all.deb
44699045748566b1f02db8515cbcdc747625a145 1256
typo3_4.3.9+dfsg1-1+squeeze2_all.deb
Checksums-Sha256:
2668190fd83fccb5d04acb3f36161964af07f10d9e639efed9d349f7a84d1592 1100
typo3-src_4.3.9+dfsg1-1+squeeze2.dsc
4e0fecc8aadd9bad1e1726b9ac00d86e8c615815479546a366cbd738e194ed23 129619
typo3-src_4.3.9+dfsg1-1+squeeze2.debian.tar.gz
2ec9f7f2a9f628644ec8610bdba12ed194da81016bb437758bfb90cfb8cb5340 11282988
typo3-src-4.3_4.3.9+dfsg1-1+squeeze2_all.deb
33631b07a280c3b37b8a43c752b6cce1fbf7ae5b1521e33b571bbcfa0bac3b68 202576
typo3-database_4.3.9+dfsg1-1+squeeze2_all.deb
990039c782681aac582889af08f7b25b7f2a53374a69115ff11653bc730275cb 1256
typo3_4.3.9+dfsg1-1+squeeze2_all.deb
Files:
38ac9c3fcd89db05beac488ce96ac1f7 1100 web optional
typo3-src_4.3.9+dfsg1-1+squeeze2.dsc
e33c1e84ef84b88fee6ccc864ca8e2fa 129619 web optional
typo3-src_4.3.9+dfsg1-1+squeeze2.debian.tar.gz
52c263f63f493f7e08e7128581097d28 11282988 web optional
typo3-src-4.3_4.3.9+dfsg1-1+squeeze2_all.deb
b7862e4c6bf677677fe2411632e43b3e 202576 web optional
typo3-database_4.3.9+dfsg1-1+squeeze2_all.deb
c2be6a5f88308774457a38e9339db990 1256 web optional
typo3_4.3.9+dfsg1-1+squeeze2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iD8DBQFOgLnqUHLQNqxYNSARAsbKAKCwln0zC9IK0T7uAvBTY8aXHwYPEQCgvrPM
LpfA6V8T5O05Q5A6yLCxq/0=
=WF3L
-----END PGP SIGNATURE-----
--- End Message ---
