Your message dated Fri, 29 Jan 2010 19:03:46 +0000
with message-id <e1naw8a-00034o...@ries.debian.org>
and subject line Bug#567163: fixed in typo3-src 4.3.1-1
has caused the Debian Bug report #567163,
regarding TYPO3-SA-2010-001: Authentication Bypass in TYPO3 Core
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
567163: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=567163
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: typo3-src
Severity: grave
Tags: security
http://typo3.org/teams/security/security-bulletins/typo3-sa-2010-001/
Apparently this only affects unstable/testing, but please double-check
the Lenny status.
Cheers,
Moritz
Vulnerable subcomponent #1: System extension openid
Vulnerability Type: Authentication Bypass
Severity: High
Problem Description: By using an OpenID identity that is assigned to an
existing backend user account, an arbitrary
website user is able to login to the TYPO3 backend with granted rights of
this specific user account.
Prerequisites for exploiting this vulnerability is an enabled system
extension "openid", knowledge of OpenID identities
assigned to TYPO3 user accounts, a victim's OpenID identity of a specific
type of OpenID provider and both victim and
attacker having identities at the same OpenID provider. Only OpenID
identities are vulnerable whose provider discards
submitted OpenID identities during authentication process and allows its
users to choose a different identity to
authenticate with. The TYPO3 Security Team is aware of at least one major
OpenID provider that exhibits such behaviour.
TYPO3 System extension "openid" is disabled by default; enabling it requires
a manual change in system configuration.
Solution: When using OpenID for authentication, please update to the TYPO3
version 4.3.1 that fix the problem described.
Credits: Credits go to TYPO3 Core member Jeff Segars who discovered and
reported the issue. Thanks to Dmitry Dulepov and
Oliver Hader from the TYPO3 Core team for working on a patch.
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-trunk-686 (SMP w/1 CPU core)
Locale: LANG=C, lc_ctype=de_de.iso-8859...@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash
--- End Message ---
--- Begin Message ---
Source: typo3-src
Source-Version: 4.3.1-1
We believe that the bug you reported is fixed in the latest version of
typo3-src, which is due to be installed in the Debian FTP archive:
typo3-database_4.3.1-1_all.deb
to main/t/typo3-src/typo3-database_4.3.1-1_all.deb
typo3-src-4.3_4.3.1-1_all.deb
to main/t/typo3-src/typo3-src-4.3_4.3.1-1_all.deb
typo3-src_4.3.1-1.diff.gz
to main/t/typo3-src/typo3-src_4.3.1-1.diff.gz
typo3-src_4.3.1-1.dsc
to main/t/typo3-src/typo3-src_4.3.1-1.dsc
typo3-src_4.3.1.orig.tar.gz
to main/t/typo3-src/typo3-src_4.3.1.orig.tar.gz
typo3_4.3.1-1_all.deb
to main/t/typo3-src/typo3_4.3.1-1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 567...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christian Welzel <gaw...@camlann.de> (supplier of updated typo3-src package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 29 Jan 2010 18:00:00 +0100
Source: typo3-src
Binary: typo3-src-4.3 typo3-database typo3
Architecture: source all
Version: 4.3.1-1
Distribution: unstable
Urgency: high
Maintainer: Christian Welzel <gaw...@camlann.de>
Changed-By: Christian Welzel <gaw...@camlann.de>
Description:
typo3 - The enterprise level open source WebCMS (Meta)
typo3-database - TYPO3 - The enterprise level open source WebCMS (Database)
typo3-src-4.3 - TYPO3 - The enterprise level open source WebCMS (Core)
Closes: 567163
Changes:
typo3-src (4.3.1-1) unstable; urgency=high
.
* New upstream release:
- fixes "TYPO3 Security Bulletin TYPO3-SA-2010-001: Authentication
Bypass in TYPO3 Core" (Closes: 567163)
* fixed spelling error in typo3-database.README.Debian.
Checksums-Sha1:
1d34099a0855b4f4cd18fd9ce33a825c115cc64c 1003 typo3-src_4.3.1-1.dsc
5b6973fa00071cc9dd4e1e85166bd715ef6bd07b 11433669 typo3-src_4.3.1.orig.tar.gz
d9951861297575f7b308e7a4cd765370e95957ef 118167 typo3-src_4.3.1-1.diff.gz
6e9cad8cfec55092c1e6949510bbea5e48949c7d 11216604 typo3-src-4.3_4.3.1-1_all.deb
05db48df084d51990464fff1544e77774a47b3fe 188122 typo3-database_4.3.1-1_all.deb
4ef92c9e760efd6ad2c4698924e659a30faa5228 1248 typo3_4.3.1-1_all.deb
Checksums-Sha256:
4fea984c87a54c7f6173fe1b880236216bc484399f3a35c17a4c8bad67647c2d 1003
typo3-src_4.3.1-1.dsc
0e85bf5802c0038ff6466d0a8ada45c759b1e90bc710c87dab1d0f75c7b89257 11433669
typo3-src_4.3.1.orig.tar.gz
359435ea946af501cda57eab56af55ea27cdf7089668da1768e83e13dc60bf4a 118167
typo3-src_4.3.1-1.diff.gz
f94d73a6f6bd0c52f3a2f181aa1eea2ea01bcf76c7f4d5243f269e2ceba1f726 11216604
typo3-src-4.3_4.3.1-1_all.deb
6b5e9acc91da0cae3c92c28951631c2600a4aafc944187e490d95e03f55d6068 188122
typo3-database_4.3.1-1_all.deb
0377408805b72032aa1124d401a3eeb47abde6992c2f7b491f1f07562e814d95 1248
typo3_4.3.1-1_all.deb
Files:
74d0b0b43d822afe942eb28da7b6300a 1003 web optional typo3-src_4.3.1-1.dsc
f4a5ba3d8445b9c63b4b67034faae967 11433669 web optional
typo3-src_4.3.1.orig.tar.gz
78a751ef1d716710cef8b93fae731e7f 118167 web optional typo3-src_4.3.1-1.diff.gz
c90a01884678889c8fd600007fbf582e 11216604 web optional
typo3-src-4.3_4.3.1-1_all.deb
506fb1abf724e27ff8d3b32faf86b90c 188122 web optional
typo3-database_4.3.1-1_all.deb
6c193ea85368fc3ba3a8915b63161fe0 1248 web optional typo3_4.3.1-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFLYyzQUHLQNqxYNSARAu+9AJ0X+Y84Cmwp0ejg4hBP2r+Dvs0IZACgrCz8
J0HcMGKDipI2Q1QFR0KdwMs=
=TaNY
-----END PGP SIGNATURE-----
--- End Message ---
