Bug#641683: marked as done (TYPO3 Security Bulletin TYPO3-CORE-SA-2011-003: Improper error handling could lead to cache flooding in TYPO3 Core)

Wed, 05 Oct 2011 01:09:26 -0700 

Your message dated Wed, 05 Oct 2011 08:07:47 +0000
with message-id <[email protected]>
and subject line Bug#641683: fixed in typo3-src 4.2.5-1+lenny9
has caused the Debian Bug report #641683,
regarding TYPO3 Security Bulletin TYPO3-CORE-SA-2011-003: Improper error 
handling could lead to cache flooding in TYPO3 Core
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
641683: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=641683
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: typo3-src
Severity: critical
Tags: security


Component Type: TYPO3 Core

Affected Versions: 4.2.0-4.2.17, 4.3.0-4.3.13, 4.5.0-4.5.5
Release Date: September 14, 2011


Vulnerable subcomponent: Caching System


Vulnerability Type: Improper error handling
Severity: Medium
Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C
Problem Description: When configured to explicitly deny cache disabling
through an URL parameter
($TYPO3_CONF_VARS['FE']['disableNoCacheParameter']), TYPO3 fails to
disable caching when an invalid cache hash URL parameter (cHash) is
provided. This allows an attacker to easily flood the caching tables of
TYPO3.



-- 
 MfG, Christian Welzel

  GPG-Key:     http://www.camlann.de/de/pgpkey.html
  Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15

--- End Message ---
--- Begin Message --- 
Source: typo3-src
Source-Version: 4.2.5-1+lenny9

We believe that the bug you reported is fixed in the latest version of
typo3-src, which is due to be installed in the Debian FTP archive:

typo3-src-4.2_4.2.5-1+lenny9_all.deb
  to main/t/typo3-src/typo3-src-4.2_4.2.5-1+lenny9_all.deb
typo3-src_4.2.5-1+lenny9.diff.gz
  to main/t/typo3-src/typo3-src_4.2.5-1+lenny9.diff.gz
typo3-src_4.2.5-1+lenny9.dsc
  to main/t/typo3-src/typo3-src_4.2.5-1+lenny9.dsc
typo3_4.2.5-1+lenny9_all.deb
  to main/t/typo3-src/typo3_4.2.5-1+lenny9_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christian Welzel <[email protected]> (supplier of updated typo3-src package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 15 Sep 2011 15:30:56 +2000
Source: typo3-src
Binary: typo3 typo3-src-4.2
Architecture: source all
Version: 4.2.5-1+lenny9
Distribution: oldstable-proposed-updates
Urgency: high
Maintainer: Christian Welzel <[email protected]>
Changed-By: Christian Welzel <[email protected]>
Description: 
 typo3      - Powerful content management framework (Meta package)
 typo3-src-4.2 - Powerful content management framework (Core)
Closes: 641683
Changes: 
 typo3-src (4.2.5-1+lenny9) oldstable-proposed-updates; urgency=high
 .
   [ Christian Welzel ]
   * Security patch from new upstream release 4.3.14
     - fixes: "TYPO3 Security Bulletin TYPO3-CORE-SA-2011-003: Improper error
       handling could lead to cache flooding in TYPO3 Core" (Closes: 641683)
Checksums-Sha1: 
 60d5d6768fe634deda026671c97c832aa88d2b6a 1009 typo3-src_4.2.5-1+lenny9.dsc
 e93a81e44d0452388c6bd4f9d1fb4dff197367bf 161393 
typo3-src_4.2.5-1+lenny9.diff.gz
 7a4256c77effcaad89c561c433ce011ee738a5ae 134310 typo3_4.2.5-1+lenny9_all.deb
 f22c6a6cc1b41f9475380e262fca5f383d27e150 8188600 
typo3-src-4.2_4.2.5-1+lenny9_all.deb
Checksums-Sha256: 
 65205dbc07f6d9cbc8bf14464726d0e6f10258f8acf340c90f70da92274580ba 1009 
typo3-src_4.2.5-1+lenny9.dsc
 0e2f8f7aaf51a72056dacdb1827c0c38c4b597590ff76319cfb99757a9124c3f 161393 
typo3-src_4.2.5-1+lenny9.diff.gz
 cf427712e097d289e17e6cfb6302c133cc7b80681c953b6bbf2c2e3bfa5ba303 134310 
typo3_4.2.5-1+lenny9_all.deb
 2e125c6508da789080a2eee055f33767ad0be7fe1d6551ad92af97d5f16a0641 8188600 
typo3-src-4.2_4.2.5-1+lenny9_all.deb
Files: 
 a550494b3a3a17767dc51e2c1a55f0d1 1009 web optional typo3-src_4.2.5-1+lenny9.dsc
 103a904f03b6e7bf8ecbf7e336010b68 161393 web optional 
typo3-src_4.2.5-1+lenny9.diff.gz
 fb32e6d15282b969e194f866148ba4b4 134310 web optional 
typo3_4.2.5-1+lenny9_all.deb
 fcc4c810e3fbe49e8270317ac23021ed 8188600 web optional 
typo3-src-4.2_4.2.5-1+lenny9_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iD8DBQFOgLrWUHLQNqxYNSARAjsrAKCPL9XN1EKDgs0b7oFqxzTPtd87mQCgmoce
yLugcDx1/p2n/ZVNNddd2Mw=
=R6xs
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to