Hello Nico! I received your message. Thank you! Andy Smith <[email protected]>
2009/1/26 Nico Golde <[email protected]> > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > - ------------------------------------------------------------------------ > Debian Security Advisory DSA-1711-1 [email protected] > http://www.debian.org/security/ Nico Golde > January 26, 2009 http://www.debian.org/security/faq > - ------------------------------------------------------------------------ > > Package : typo3-src > Vulnerability : several > Problem type : remote > Debian-specific: no > CVE ID : CVE-2009-0255 CVE-2009-0256 CVE-2009-0257 CVE-2009-0258 > Debian Bug : 512608 > BugTraq ID : 33376 > > Several remotely exploitable vulnerabilities have been discovered in the > TYPO3 web content management framework. The Common Vulnerabilities and > Exposures project identifies the following problems: > > CVE-2009-0255 > Chris John Riley discovered that the TYPO3-wide used encryption key is > generated with an insufficiently random seed resulting in low entropy > which makes it easier for attackers to crack this key. > > CVE-2009-0256 > Marcus Krause discovered that TYPO3 is not invalidating a supplied > session > on authentication which allows an attacker to take over a victims > session via a session fixation attack. > > CVE-2009-0257 > Multiple cross-site scripting vulnerabilities allow remote attackers to > inject arbitrary web script or HTML via various arguments and user- > supplied strings used in the indexed search system extension, adodb > extension test scripts or the workspace module. > > CVE-2009-0258 > Mads Olesen discovered a remote command injection vulnerability in > the indexed search system extension which allows attackers to > execute arbitrary code via a crafted file name which is passed > unescaped to various system tools that extract file content for > the indexing. > > > Because of CVE-2009-0255, please make sure that besides installing > this update, you also create a new encryption key after the > installation. > > For the stable distribution (etch) these problems have been fixed in > version 4.0.2+debian-7. > > For the unstable distribution (sid) these problems have been fixed in > version 4.2.5-1. > > We recommend that you upgrade your TYPO3 packages. > > Upgrade instructions > - -------------------- > > wget url > will fetch the file for you > dpkg -i file.deb > will install the referenced file. > > If you are using the apt-get package manager, use the line for > sources.list as given below: > > apt-get update > will update the internal database > apt-get upgrade > will install corrected packages > > You may use an automated update by adding the resources from the > footer to the proper configuration. > > > Debian GNU/Linux 4.0 alias etch > - ------------------------------- > > Source archives: > > > http://security.debian.org/pool/updates/main/t/typo3-src/typo3-src_4.0.2+debian.orig.tar.gz > Size/MD5 checksum: 7683527 be509391b0e4d24278c14100c09dc673 > > http://security.debian.org/pool/updates/main/t/typo3-src/typo3-src_4.0.2+debian-7.diff.gz > Size/MD5 checksum: 23596 344f6b5ada56d361e274556d6d7eaf99 > > http://security.debian.org/pool/updates/main/t/typo3-src/typo3-src_4.0.2+debian-7.dsc > Size/MD5 checksum: 610 6b99cc9acd82ec6010a38006910169c9 > > Architecture independent packages: > > > http://security.debian.org/pool/updates/main/t/typo3-src/typo3_4.0.2+debian-7_all.deb > Size/MD5 checksum: 76924 33b4077e99038121aa5667a3a166d99e > > http://security.debian.org/pool/updates/main/t/typo3-src/typo3-src-4.0_4.0.2+debian-7_all.deb > Size/MD5 checksum: 7691182 f5c8ecbf93c7af50b29b5ded8f455b75 > > > These files will probably be moved into the stable distribution on > its next update. > > - > --------------------------------------------------------------------------------- > For apt-get: deb http://security.debian.org/ stable/updates main > For dpkg-ftp: > ftp://security.debian.org/debian-securitydists/stable/updates/main > Mailing list: [email protected] > Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > > iQEcBAEBAgAGBQJJfiIoAAoJEL97/wQC1SS+Zy4IAIccGZx8Hc/kHEl907UC8sJ2 > 72Cs7PSQLsB4z9fRbLyYx2Hyy5Zz+4aAOeRHO3Oy+jzJyjidqvrzdrxN8zd0uhTV > UZGwRdEqPVO1fNCxVbmpY4EvcctaYpDSEajqKAcLuypyCTPmZ215AJCOx5PeT2QH > aGUK8ZTeaVWhi3P9hIavDoh7bi/MfoobBBNxmIykDIls2okww7C318Q9WTlaSULq > e0xfc+4m8J8FXjZw2nlmuyreY35gc67nga/nwA/8xCI5lnoWm72T9/54pOLLOh9g > 2qee3i2UOEqMJxwpFbQJ2UlcvWcG5FeO+lE2TGXqRaPuzdOqslr3tqa0Ffb7N3Y= > =SyTo > -----END PGP SIGNATURE----- > > > -- > To UNSUBSCRIBE, email to [email protected] > with a subject of "unsubscribe". Trouble? Contact > [email protected] > > -- Andy Smith
