Your message dated Fri, 20 Apr 2012 19:38:30 +0000
with message-id <[email protected]>
and subject line Bug#669158: fixed in typo3-src 4.3.9+dfsg1-1+squeeze4
has caused the Debian Bug report #669158,
regarding TYPO3-CORE-SA-2012-002: Cross-Site Scripting Vulnerability in TYPO3
Core
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
669158: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=669158
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: typo3-src
Severity: critical
Tags: security
Component Type: TYPO3 Core
Affected Versions: 4.4.0 up to 4.4.14, 4.5.0 up to 4.5.14, 4.6.0 up to
4.6.7 and development releases of the 4.7 branch.
Vulnerable subcomponent: Exception Handler
Vulnerability Type: Cross-Site Scripting
Severity: Medium
Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:P/I:P/A:N/E:F/RL:OF/RC:C
Problem Description: Failing to properly encode the output, the default
TYPO3 Exception Handler is susceptible to Cross-Site Scripting.
We are not aware of a possibilty to exploit this vulnerability without
third party extensions being installed that put user input in exception
messages.
However it has come to our attention that extensions using the extbase
MVC framework can be used to exploit this vulnerability if these
extensions accept objects in controller actions.
In general and especially when in doubt if the above conditions are met,
we highly recommend users of affected versions to update as soon as
possible.
Imortant Note: In case you have configured your own exception handler
for TYPO3 you need to make sure that the exception messages are properly
encoded within this exception handler before they are presented.
--
MfG, Christian Welzel
GPG-Key: http://www.camlann.de/de/pgpkey.html
Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15
--- End Message ---
--- Begin Message ---
Source: typo3-src
Source-Version: 4.3.9+dfsg1-1+squeeze4
We believe that the bug you reported is fixed in the latest version of
typo3-src, which is due to be installed in the Debian FTP archive:
typo3-database_4.3.9+dfsg1-1+squeeze4_all.deb
to main/t/typo3-src/typo3-database_4.3.9+dfsg1-1+squeeze4_all.deb
typo3-src-4.3_4.3.9+dfsg1-1+squeeze4_all.deb
to main/t/typo3-src/typo3-src-4.3_4.3.9+dfsg1-1+squeeze4_all.deb
typo3-src_4.3.9+dfsg1-1+squeeze4.debian.tar.gz
to main/t/typo3-src/typo3-src_4.3.9+dfsg1-1+squeeze4.debian.tar.gz
typo3-src_4.3.9+dfsg1-1+squeeze4.dsc
to main/t/typo3-src/typo3-src_4.3.9+dfsg1-1+squeeze4.dsc
typo3_4.3.9+dfsg1-1+squeeze4_all.deb
to main/t/typo3-src/typo3_4.3.9+dfsg1-1+squeeze4_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christian Welzel <[email protected]> (supplier of updated typo3-src package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 17 Apr 2012 22:30:00 +0200
Source: typo3-src
Binary: typo3-src-4.3 typo3-database typo3
Architecture: source all
Version: 4.3.9+dfsg1-1+squeeze4
Distribution: squeeze-security
Urgency: medium
Maintainer: Christian Welzel <[email protected]>
Changed-By: Christian Welzel <[email protected]>
Description:
typo3 - The enterprise level open source WebCMS (Meta)
typo3-database - TYPO3 - The enterprise level open source WebCMS (Database)
typo3-src-4.3 - TYPO3 - The enterprise level open source WebCMS (Core)
Closes: 669158
Changes:
typo3-src (4.3.9+dfsg1-1+squeeze4) squeeze-security; urgency=medium
.
* Security patch backported from new upstream release 4.4.15:
- fixes: "TYPO3 Security Bulletin TYPO3-CORE-SA-2012-002: Cross-Site
Scripting Vulnerability in TYPO3 Core" (Closes: 669158)
Checksums-Sha1:
60104f9e0dfca9fc5ba3a3f4b54f7eee04c3aeb3 1740
typo3-src_4.3.9+dfsg1-1+squeeze4.dsc
ce76b672287f437f32fefd224f220627eced096f 132939
typo3-src_4.3.9+dfsg1-1+squeeze4.debian.tar.gz
724c8bac4f5dc40d4c98ff2bc30b52163755f472 11290626
typo3-src-4.3_4.3.9+dfsg1-1+squeeze4_all.deb
767dd06ddc9c90fbc08fcf24b86477171cf22529 201644
typo3-database_4.3.9+dfsg1-1+squeeze4_all.deb
853aef329cf221cc5ea8cbc0f16c62b5f1aeae01 1260
typo3_4.3.9+dfsg1-1+squeeze4_all.deb
Checksums-Sha256:
88af61d9afc1c46aed8797e7299598eb95037af097e326811235b99110576074 1740
typo3-src_4.3.9+dfsg1-1+squeeze4.dsc
f7da21d19b2c1aaa290b6615e7342ce44518862e976e11d99c61796b525ab6e0 132939
typo3-src_4.3.9+dfsg1-1+squeeze4.debian.tar.gz
e621d5f419f9198a788cdf029147d5afc4cb54731952903f760da025c6474e5f 11290626
typo3-src-4.3_4.3.9+dfsg1-1+squeeze4_all.deb
45de729341900763045a0833f0d9e13c400e817409761ebbd36cfd288fdf3866 201644
typo3-database_4.3.9+dfsg1-1+squeeze4_all.deb
9998229839b81735184ea0f7fffe5abd931f35876842a3c781cc19a49b3e0e30 1260
typo3_4.3.9+dfsg1-1+squeeze4_all.deb
Files:
e892b17536e2c063304e45349f4d8495 1740 web optional
typo3-src_4.3.9+dfsg1-1+squeeze4.dsc
1c8430e607ea189145a98988e199c283 132939 web optional
typo3-src_4.3.9+dfsg1-1+squeeze4.debian.tar.gz
69562c8a756b7d0315045dfd5706f039 11290626 web optional
typo3-src-4.3_4.3.9+dfsg1-1+squeeze4_all.deb
2ffd7a0191ab046b2ced510cf0f325a0 201644 web optional
typo3-database_4.3.9+dfsg1-1+squeeze4_all.deb
4d0101cbd609d90a30e65284baba184c 1260 web optional
typo3_4.3.9+dfsg1-1+squeeze4_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQIVAwUBT4/IwAkauFYGmqocAQhVLg//ccIdcvJ6Q51pz2uHtX3d8W2xieqBhSD7
/H7xWF9iOgAW21A+ifA7wiI4Aak85Ogpqut0hY/aC4mge5WWUZiFkLf2znNaL1YT
OJSU3lSxUab12vjXjzATpWG42P2eGR0j56ITdZc/e4YETHsDjZoteqKJPvg8BIr+
sAygd4RBX5QPJbKUHQQQxRydY/QZybYoc/v6zCUsrCNOYWecwKgathgsaoRjgsXM
8aXDHzeumezum4xjKkKqzCvk6jbdyGdcVKSchFAmUJiT6RUvj5evglT3JBTd54q6
jQMxPz+b3+CK88Bqt+bkBMKPB//H+/nWpnTkKhVMlXcTqfYIT56GsHYQzlf5cNcT
rX49GMvFdt/xWjp7LEvvwtrEvHo7atMmoS32cYRbN5lgF7yiKW6Aw+CZAo67pnLu
7J44wh33hxZ30IuFykT/eG+C2nMG50oYisMyssapRfx9bA0sbh7liw6xRuDVT12+
ldumQur/+DCWJ5MarLuGGIVa018fUqJiNhQnTwK2RP+NDFC4t05FPiwqVoZxLaVU
aoYJWTFAu/LVN84wt9ACMb3aOFnz6skucU24DXTgmVYkFX9/CObpMC5v4RpnVhlm
yWjT+2Cfj+tgcs5602VZI4bcR8KLaGHBSG/URKmoffrxXW0WzPxlCSSFgQJH17vw
xRxG3VTIi04=
=d6Ka
-----END PGP SIGNATURE-----
--- End Message ---
