Your message dated Wed, 04 Jun 2014 07:48:22 +0000
with message-id <e1ws5vq-0002jw...@franck.debian.org>
and subject line Bug#749215: fixed in typo3-src 4.5.19+dfsg1-5+wheezy3
has caused the Debian Bug report #749215,
regarding TYPO3-CORE-SA-2014-001: Multiple Vulnerabilities in TYPO3 CMS
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
749215: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=749215
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: typo3-src
Severity: critical
Tags: security
It has been discovered that TYPO3 CMS is vulnerable to Cross-Site
Scripting, Insecure Unserialize, Improper Session Invalidation,
Authentication Bypass, Information Disclosure and Host Spoofing.
Component Type: TYPO3 CMS
Overall Severity: Medium
Release Date: May 22, 2014
Vulnerability Type: Host Spoofing
Affected Versions: Versions 4.5.0 to 4.5.33, 4.7.0 to 4.7.18, 6.0.0 to
6.0.13, 6.1.0 to 6.1.8 and 6.2.0 to 6.2.2
Severity: Medium
CVE: not assigned yet
Problem Description: Failing to properly validate the HTTP host-header
TYPO3 CMS is susceptible to host spoofing. TYPO3 uses the HTTP
host-header to generate absolute URLs in several places like 404
handling, http(s) enforcement, password reset links and many more. Since
the host header itself is provided by the client it can be forged to any
value, even in a name based virtual hosts environment. A blog post
describes this problem in great detail.
Vulnerable subcomponent: Color Picker Wizard
Vulnerability Type: Insecure Unserialize
Affected Versions: Versions 4.5.0 to 4.5.33, 4.7.0 to 4.7.18, 6.0.0 to
6.0.13 and 6.1.0 to 6.1.8
Severity: Low
CVE: not assigned yet
Problem Description: Failing to validate authenticity of a passed
serialized string, the color picker wizard is susceptible to insecure
unserialize, allowing authenticated editors to unserialize arbitrary PHP
objects.
Vulnerable subcomponent: Backend
Vulnerability Type: Cross-Site Scripting
Affected Versions: Versions 4.5.0 to 4.5.33, 4.7.0 to 4.7.18, 6.0.0 to
6.0.13, 6.1.0 to 6.1.8 and 6.2.0 to 6.2.2
Severity: Low
CVE: not assigned yet
Problem Description: Failing to properly encode user input, several
backend components are susceptible to Cross-Site Scripting, allowing
authenticated editors to inject arbitrary HTML or JavaScript by crafting
URL parameters.
Vulnerable subcomponent: ExtJS
Vulnerability Type: Cross-Site Scripting
Affected Versions: Versions 4.5.0 to 4.5.33, 4.7.0 to 4.7.18, 6.0.0 to
6.0.13, 6.1.0 to 6.1.8 and 6.2.0 to 6.2.2
Severity: Medium
CVE: not assigned yet
Problem Description: The ExtJS JavaScript framework that is shipped with
TYPO3 also delivers a flash file to show charts. This file is
susceptible to Cross-Site Scripting. This vulnerability can be exploited
without any authentication.
Vulnerable subcomponent: Authentication
Vulnerability Type: Authentication Bypass
Affected Versions: All TYPO3 versions not configured to use salted passwords
Severity: medium
CVE: not assigned yet
Problem Description: When the use of salted password is disabled (which
is enabled by default since TYPO3 4.6 and required since TYPO3 6.2)
passwords for backend access are stored as md5 hash in the database.
This hash (e.g. taken from a successful SQL injection) can be used
directly to authenticate backend users without knowing or reverse
engineering the password.
--
MfG, Christian Welzel
GPG-Key: pub 4096R/5117E119 2011-09-19
Fingerprint: 3688 337C 0D3E 3725 94EC E401 8D52 CDE9 5117 E119
--- End Message ---
--- Begin Message ---
Source: typo3-src
Source-Version: 4.5.19+dfsg1-5+wheezy3
We believe that the bug you reported is fixed in the latest version of
typo3-src, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 749...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christian Welzel <gaw...@camlann.de> (supplier of updated typo3-src package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 25 May 2014 11:00:00 +0200
Source: typo3-src
Binary: typo3-src-4.5 typo3-database typo3-dummy typo3
Architecture: source all
Version: 4.5.19+dfsg1-5+wheezy3
Distribution: wheezy-security
Urgency: medium
Maintainer: Christian Welzel <gaw...@camlann.de>
Changed-By: Christian Welzel <gaw...@camlann.de>
Description:
typo3 - web content management system (meta)
typo3-database - web content management system (database)
typo3-dummy - web content management system (basic site structure)
typo3-src-4.5 - web content management system (core)
Closes: 749215
Changes:
typo3-src (4.5.19+dfsg1-5+wheezy3) wheezy-security; urgency=medium
.
* Added patch for TYPO3-SA-2014-001. (Closes: #749215)
* Set patch level version to -pl.4.5.34.
Checksums-Sha1:
8f47e527b656f50b1010ab1287bbbfa455e49033 2077
typo3-src_4.5.19+dfsg1-5+wheezy3.dsc
baca513e8e4b4336bfe12880215e6652efb5a8a0 440207
typo3-src_4.5.19+dfsg1-5+wheezy3.debian.tar.gz
97aa8dab0ee01118ff36088d27c472b8408f8fd0 20088954
typo3-src-4.5_4.5.19+dfsg1-5+wheezy3_all.deb
06b97b4c4cb2ae4fa9e37fb9add1cc52da52885d 282414
typo3-database_4.5.19+dfsg1-5+wheezy3_all.deb
183c419d1c77e541f272acfeb4dad6fc97759dbe 290622
typo3-dummy_4.5.19+dfsg1-5+wheezy3_all.deb
a27402bd12a1a9606c0c53be0371e479ef0db6cd 1394
typo3_4.5.19+dfsg1-5+wheezy3_all.deb
Checksums-Sha256:
55a78968de4223bb766e07dc655eeff56049acd7804c2d74a5744af2f5098d0b 2077
typo3-src_4.5.19+dfsg1-5+wheezy3.dsc
459a26b708c037c3a5f461092388c67be1f985f667c1352dad53980a978d0992 440207
typo3-src_4.5.19+dfsg1-5+wheezy3.debian.tar.gz
16b9ed842cdf54151e1c1cefed00e98625c0c2b21b74f47c27c3f72c4ef60719 20088954
typo3-src-4.5_4.5.19+dfsg1-5+wheezy3_all.deb
6c55b7555d6c13ade8bb79f883ea7ade0c037ee754a7a211c74a04b222901a4c 282414
typo3-database_4.5.19+dfsg1-5+wheezy3_all.deb
3bf78a67da7475cf8f246dcad5a4eb4dff693fface6abd18c4c567063e6c527c 290622
typo3-dummy_4.5.19+dfsg1-5+wheezy3_all.deb
d2530dd4f6e89ef97d0816a164e73a98b334ae88246cf08dbafe6f733be41b39 1394
typo3_4.5.19+dfsg1-5+wheezy3_all.deb
Files:
c707573596a7b10e7f2a0e41605fb7aa 2077 web optional
typo3-src_4.5.19+dfsg1-5+wheezy3.dsc
ed6edca9677276d4e93c16e404c92286 440207 web optional
typo3-src_4.5.19+dfsg1-5+wheezy3.debian.tar.gz
b2387dd8fd875481ce622b80ada4b1e0 20088954 web optional
typo3-src-4.5_4.5.19+dfsg1-5+wheezy3_all.deb
dce4668b8654306085b9d82e4f5d8b51 282414 web optional
typo3-database_4.5.19+dfsg1-5+wheezy3_all.deb
c6109537d3be2da72c0e2862a642019b 290622 web optional
typo3-dummy_4.5.19+dfsg1-5+wheezy3_all.deb
72b26c2ce9bd6a0e37c16ab045a47959 1394 web optional
typo3_4.5.19+dfsg1-5+wheezy3_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJTifcNAAoJEBDCk7bDfE42HGEP/AjdxSnHkdwUlI7koEFOMrE1
gTrdnxleWN1g0CfpwgVO4O8lHBJSiRZZH2DnNEcx5b+Hg8G6s8XIZcMrHk/BswbQ
HbJALwgDOQU5RjHqTBDLC7TWrCHlf7AljBgFCb6rAPN1/URdDuAl3axZud6Xrh82
tChABSRYcUbt+TP4dxjahzu2To88GMS1Zd0jnx0aG0nNwBNHPrnKMucPi5spMsaT
w5xGkE7U0SsgGme31oZEu3mSG7Gjj2s2M8MMx49ZTBCNh2Py4dm7iGPzhcng5aox
YLiFlccRpOWmvInisl7CEeLhZgdAZOcNeovGxMfaeF+tXtkEJLZku4MmZMb6uXK8
JkoZE3DmcwTRFZLRwGbreY24NoJcz2naF1TRXXn2ZiN5hKPYttd3CAHrHCQGgH3N
EXYKk/QdBTpoCm3tp002GNiXL8FhQYSJuy70Ohbub90OOLcl01xZrH8gkB0GvoRD
Qr1KHxVFS8Pzj+UoPHwpdxQjPlNaw3OuPvgUj/TYIuA/Wq1Q/Z0ZT0gvdd+ZN6MW
qKRKu58pofVQXvid/UvNRfrC66U5RfoMZ3Z0VIuPOBnN6hySx9/aBDDTeIfw92uH
p41El5uVtjNl4faPHRRDcIh6c/VTmK9zTfltgPSYuF7TeKRleZP6qrDXOy/2XncA
qXh9TV/68nEQethBedkS
=ykFa
-----END PGP SIGNATURE-----
--- End Message ---
