Your message dated Sat, 17 Dec 2011 15:51:59 +0000 with message-id <e1rbwyj-0005bo...@franck.debian.org> and subject line Bug#652365: fixed in typo3-src 4.5.9+dfsg1-1 has caused the Debian Bug report #652365, regarding TYPO3 Security Bulletin TYPO3-CORE-SA-2011-004: Remote Code Execution in TYPO3 Core to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 652365: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652365 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: typo3-src Severity: critical Tags: security Component Type: TYPO3 Core Affected Versions: 4.5.0 up to 4.5.8, 4.6.0 and 4.6.1 Vulnerability Types: Remote Code Execution Overall Severity: Critical Vulnerable subcomponent: TYPO3 workspaces Vulnerability Type: Remote Code Execution Severity: Critical Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C Problem Description: A PHP file which is part of the workspaces system extension does not validate passed arguments. You are only vulnerable if all of the following conditions are met: 1. You are using TYPO3 version 4.5.0 up to 4.5.8, 4.6.0 or 4.6.1. 2. You have all of following PHP configuration variables set to "on": register_globals ("off" by default, advised to be "off" in TYPO3 Security Guide), allow_url_include ("off" by default) and allow_url_fopen ("on" by default) If you are using the Suhosin PHP extension you are only vulnerable if you have additionally put URL schemes in the configuration variable "suhosin.executor.include.whitelist". The workspaces system extension does not need to be activated for this vulnerability to exist. Possible Impact: A crafted request to a vulnerable TYPO3 installation will allow an attacker to load PHP code from an external source and to execute it on the TYPO3 installation. -- MfG, Christian Welzel GPG-Key: http://www.camlann.de/de/pgpkey.html Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15
--- End Message ---
--- Begin Message ---Source: typo3-src Source-Version: 4.5.9+dfsg1-1 We believe that the bug you reported is fixed in the latest version of typo3-src, which is due to be installed in the Debian FTP archive: typo3-database_4.5.9+dfsg1-1_all.deb to main/t/typo3-src/typo3-database_4.5.9+dfsg1-1_all.deb typo3-dummy_4.5.9+dfsg1-1_all.deb to main/t/typo3-src/typo3-dummy_4.5.9+dfsg1-1_all.deb typo3-src-4.5_4.5.9+dfsg1-1_all.deb to main/t/typo3-src/typo3-src-4.5_4.5.9+dfsg1-1_all.deb typo3-src_4.5.9+dfsg1-1.debian.tar.gz to main/t/typo3-src/typo3-src_4.5.9+dfsg1-1.debian.tar.gz typo3-src_4.5.9+dfsg1-1.dsc to main/t/typo3-src/typo3-src_4.5.9+dfsg1-1.dsc typo3-src_4.5.9+dfsg1.orig-dummy.tar.gz to main/t/typo3-src/typo3-src_4.5.9+dfsg1.orig-dummy.tar.gz typo3-src_4.5.9+dfsg1.orig.tar.gz to main/t/typo3-src/typo3-src_4.5.9+dfsg1.orig.tar.gz typo3_4.5.9+dfsg1-1_all.deb to main/t/typo3-src/typo3_4.5.9+dfsg1-1_all.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 652...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Christian Welzel <gaw...@camlann.de> (supplier of updated typo3-src package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Fri, 16 Dec 2011 20:00:00 +0100 Source: typo3-src Binary: typo3-src-4.5 typo3-database typo3-dummy typo3 Architecture: source all Version: 4.5.9+dfsg1-1 Distribution: unstable Urgency: high Maintainer: Christian Welzel <gaw...@camlann.de> Changed-By: Christian Welzel <gaw...@camlann.de> Description: typo3 - The enterprise level open source WebCMS (Meta) typo3-database - TYPO3 - The enterprise level open source WebCMS (Database) typo3-dummy - web content management system typo3-src-4.5 - TYPO3 - The enterprise level open source WebCMS (Core) Closes: 652365 Changes: typo3-src (4.5.9+dfsg1-1) unstable; urgency=high . * New upstream release: - fixes: "TYPO3 Security Bulletin TYPO3-CORE-SA-2011-004: Remote Code Execution in TYPO3 Core" (Closes: #652365) Checksums-Sha1: 5471d0e39bf752bb96da041eefeb7abe0ecb8026 2136 typo3-src_4.5.9+dfsg1-1.dsc 35f087f0f6e41537df5a316eb6aaead4530121bd 9850 typo3-src_4.5.9+dfsg1.orig-dummy.tar.gz 017604146471c05722c1254a2ed256824f30c425 20526565 typo3-src_4.5.9+dfsg1.orig.tar.gz dbbfcedf17fc03edebb741234523ceaa729c64b1 149976 typo3-src_4.5.9+dfsg1-1.debian.tar.gz 557ed9ed57c0074a58f3aa1cf7ea921df0b4d9ec 20226800 typo3-src-4.5_4.5.9+dfsg1-1_all.deb cfda9210c999e3ec646359ca89521ccafb0ac79d 267464 typo3-database_4.5.9+dfsg1-1_all.deb 46cedceb2045ae456f05412955d5fe9c4f1ca775 273642 typo3-dummy_4.5.9+dfsg1-1_all.deb 3b04cbbad6a7fb758a185677cb1079d420a5d4c1 1252 typo3_4.5.9+dfsg1-1_all.deb Checksums-Sha256: 12f133737a1fc12a0c2c24ab140629422defc615be50031b5df3d7c8c2045ef6 2136 typo3-src_4.5.9+dfsg1-1.dsc acf3c8cac4558f5ba846981a0711b9eb96279531907df81605cfc4668996b2e0 9850 typo3-src_4.5.9+dfsg1.orig-dummy.tar.gz 1e748eacaf4a91c33413f8b8c73b46f863e73d1e6086972206035d857620ddfa 20526565 typo3-src_4.5.9+dfsg1.orig.tar.gz 7e280cfbbea94a8521d36507206cfbb2ca5e06074dddedcc311143b45fa06dc8 149976 typo3-src_4.5.9+dfsg1-1.debian.tar.gz 98418d966e626fdb80378853caffe9cecb67484cec35ff8492f70c858feac6d7 20226800 typo3-src-4.5_4.5.9+dfsg1-1_all.deb cce5402fefd189c4e03a704ddcfccc9e2252aae850e6d527bf2b54c711db7a10 267464 typo3-database_4.5.9+dfsg1-1_all.deb 8e39e8836c200f002ae6436943917e4f52febbf8dc737b83a62d48a0e055d726 273642 typo3-dummy_4.5.9+dfsg1-1_all.deb c7a8c8208cf314a7e3d882d1394b6266872f1a4f4a8394cafbe604e21c01e05a 1252 typo3_4.5.9+dfsg1-1_all.deb Files: db222ab1a88998e58f4059d3c0a38fc1 2136 web optional typo3-src_4.5.9+dfsg1-1.dsc 377635b360ee511dda7ff142968c9af5 9850 web optional typo3-src_4.5.9+dfsg1.orig-dummy.tar.gz f61dc59e77914ca70edabc1aec64093e 20526565 web optional typo3-src_4.5.9+dfsg1.orig.tar.gz 1c303331474ae27b11e31335211a6423 149976 web optional typo3-src_4.5.9+dfsg1-1.debian.tar.gz 00a4ef37fe875f829312f4af7841d916 20226800 web optional typo3-src-4.5_4.5.9+dfsg1-1_all.deb 30ce9bbe3f6759c2d81bc49ce57344b5 267464 web optional typo3-database_4.5.9+dfsg1-1_all.deb 3c35dbb0d5a54497e7b6ad4dc3918267 273642 web optional typo3-dummy_4.5.9+dfsg1-1_all.deb 9b4a891a2fe22d885168443c7cc0ae29 1252 web optional typo3_4.5.9+dfsg1-1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIVAwUBTuyyVAkauFYGmqocAQjNmA/+IFJs2FOwra+ku4OXil9HbRcSSQToXgAB KxD7aG9rmZFCcnu6Qz+/norDQXMSzA/mNlunH8NW3eXHzXIS9HXzmvECYQ9a6NbN aEOvWwm6iLNrU4MKVaceoKYZN+HrElD665Z+FmTKfgXzE8a3hBEcojCA+EprNOzu jxWQDSZruDgZo11WZxHAWISJb/fgEt4l0RQ2d5FPytS1rh0xLv/RSOJblXJZYpR7 BKvEYekfyBJYN7GSXc6M/FNUkWX1HJs4XBxX8BYl4/6ICdEqyimYt/pcRnYuRYcP z61ULF69vJTIrY3fIrm7v0CuCAYlbF/k2YEqoUPARS4g5LNytcoHcxdcSZRW0Wpk 0B+n+x0tIyzTOXNe7OWsC9MdE7kkZ5rxxe742HYw1UFecZU19nz9RqwRoNN31OEu eu5xc68ti9/qNP68ZHIgrlLSZvQ77KSEpCfpnFUEsxDPFtvTY6012xSXJQMVY9r8 M6zU9i6IGKVvUQ4EfS8/q2QwWiN0QuZpabtuvCcCIMgPawdbeXlkR5/dG6cgwlwm EgqVUHtGnuxRpH5xZcA7dQiPsfNW8PBAUkBf8B83g5DLPwNmsWrjvMuUfBFDnU+D iQ2pAmpP/7aCkHi64cND3Az5LwjA0WE2Erdjy/6XqSeOallWaQDaA5zj9N3frjMA NV0bdNbQRPU= =6k8R -----END PGP SIGNATURE-----
--- End Message ---
