Bug#514713: marked as done (Information disclosure and XSS vulnerabilities in TYPO3)

Tue, 10 Feb 2009 07:20:31 -0800 

Your message dated Tue, 10 Feb 2009 15:02:14 +0000
with message-id <[email protected]>
and subject line Bug#514713: fixed in typo3-src 4.2.6-1
has caused the Debian Bug report #514713,
regarding Information disclosure and XSS vulnerabilities in TYPO3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
514713: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=514713
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: typo3-src      
Version: 4.0.2+debian-7
Severity: critical
Tags: security

TYPO3 Security Bulletin TYPO3-SA-2009-002:
Information Disclosure & XSS in TYPO3 Core

Problem Description 1: An Information Disclosure vulnerability in jumpUrl 
mechanism, used to track access on web pages and provided files, allows a 
remote attacker to read arbitrary files on a host.

The expected value of a mandatory hash secret, intended to invalidate such 
requests, is exposed to remote users allowing them to bypass access control by 
providing the correct value.

There's no authentication required to exploit this vulnerability. The 
vulnerability allows to read any file, the web server user account has access 
to. 

Problem Description 2: Failing to sanitize user input, three fields in the 
backend is open to Cross-Site Scripting (XSS). 


-- 
 MfG, Christian Welzel

  GPG-Key:     http://www.camlann.de/key.asc
  Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15

--- End Message ---
--- Begin Message --- 
Source: typo3-src
Source-Version: 4.2.6-1

We believe that the bug you reported is fixed in the latest version of
typo3-src, which is due to be installed in the Debian FTP archive:

typo3-src-4.2_4.2.6-1_all.deb
  to pool/main/t/typo3-src/typo3-src-4.2_4.2.6-1_all.deb
typo3-src_4.2.6-1.diff.gz
  to pool/main/t/typo3-src/typo3-src_4.2.6-1.diff.gz
typo3-src_4.2.6-1.dsc
  to pool/main/t/typo3-src/typo3-src_4.2.6-1.dsc
typo3-src_4.2.6.orig.tar.gz
  to pool/main/t/typo3-src/typo3-src_4.2.6.orig.tar.gz
typo3_4.2.6-1_all.deb
  to pool/main/t/typo3-src/typo3_4.2.6-1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christian Welzel <[email protected]> (supplier of updated typo3-src package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 10 Feb 2009 12:00:00 +0100
Source: typo3-src
Binary: typo3 typo3-src-4.2
Architecture: source all
Version: 4.2.6-1
Distribution: unstable
Urgency: high
Maintainer: Christian Welzel <[email protected]>
Changed-By: Christian Welzel <[email protected]>
Description: 
 typo3      - Powerful content management framework (Meta package)
 typo3-src-4.2 - Powerful content management framework (Core)
Closes: 514713
Changes: 
 typo3-src (4.2.6-1) unstable; urgency=high
 .
   * New upstream release.
     - fixes TYPO3 Security Bulletin TYPO3-SA-2009-002: Information
       disclosure and XSS vulnerabilities in TYPO3 (Closes: 514713)
Checksums-Sha1: 
 3be404f69a8fbe834e194fb70505d401f2f41747 988 typo3-src_4.2.6-1.dsc
 6bf22e18ca9e9ae2bc084a0f07b2f857979a8a22 8147681 typo3-src_4.2.6.orig.tar.gz
 31731f3e05495cfce2cd769d1aeb277be4371ce8 108702 typo3-src_4.2.6-1.diff.gz
 9d2ce31202c2ba84c1b3bab8751a34ddc87eb765 134606 typo3_4.2.6-1_all.deb
 92e4de6a3af84e3de89c91c245f66052c96c5f59 8192452 typo3-src-4.2_4.2.6-1_all.deb
Checksums-Sha256: 
 b6689838f0b04adee26595d344acfa6bc62c75e0e5df93fee4deb15fec8f93f4 988 
typo3-src_4.2.6-1.dsc
 b8a47954cf39522b20352ee97c74b173eed50520293f2214d7c72af6782689c8 8147681 
typo3-src_4.2.6.orig.tar.gz
 0be565972ba05cf349179e7a7f08d492992ffd1410cc88fd3a0ed2b00ebdb5e0 108702 
typo3-src_4.2.6-1.diff.gz
 fd59dbd7b073188d248d51873e60ea9a999d28821fc294db3e02fdfdf171b5c7 134606 
typo3_4.2.6-1_all.deb
 0d118aea6cb45766f6c4f42669ae5c09b6a712317dfe59d00554a90b09105d9f 8192452 
typo3-src-4.2_4.2.6-1_all.deb
Files: 
 a0577867d4eb87035c9eeb3a369fe4b1 988 web optional typo3-src_4.2.6-1.dsc
 eb6f557a2970105a6a659d0ef1a92cec 8147681 web optional 
typo3-src_4.2.6.orig.tar.gz
 89baa0a5c20fd4cba2e9a4a925f89b44 108702 web optional typo3-src_4.2.6-1.diff.gz
 976b69e7df55a9c7eaab731c367f4679 134606 web optional typo3_4.2.6-1_all.deb
 d15f691f1cf400e215211fb1933b4667 8192452 web optional 
typo3-src-4.2_4.2.6-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkmRkmEACgkQHYflSXNkfP/itQCgng5astzvMJ4tB1LvwVYNzzE2
lz0AnjutK22ofmV+GZOtmI+deOmtdgKQ
=uCNT
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to