Debian Bug report logs - #512608
[SA33617] Typo3 Multiple Vulnerabilities

version graph

Package: typo3-src; Maintainer for typo3-src is Christian Welzel <gawain@camlann.de>;

Reported by: Giuseppe Iuculano <giuseppe@iuculano.it>

Date: Thu, 22 Jan 2009 07:42:02 UTC

Severity: grave

Tags: security

Found in versions 4.0.2+debian-5, 4.2.3-1

Fixed in versions 4.0.2+debian-6, typo3-src/4.2.4-1

Done: Christian Welzel <gawain@camlann.de>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Christian Welzel <gawain@camlann.de>:
Bug#512608; Package typo3-src. (Thu, 22 Jan 2009 07:42:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Giuseppe Iuculano <giuseppe@iuculano.it>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Christian Welzel <gawain@camlann.de>. (Thu, 22 Jan 2009 07:42:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Giuseppe Iuculano <giuseppe@iuculano.it>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: [SA33617] Typo3 Multiple Vulnerabilities
Date: Thu, 22 Jan 2009 08:39:10 +0100
Package: typo3-src
Severity: grave
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

The following SA (Secunia Advisory) id was published for Typo3:

SA33617[1]

> DESCRIPTION:
> Some vulnerabilities have been reported in Typo3, which can be
> exploited by malicious people to bypass certain security
> restrictions, conduct cross-site scripting and session fixation
> attacks, and compromise a vulnerable system.
> 
> 1) The "Install tool" system extension uses insufficiently random
> entropy sources to generate an encryption key, resulting in weak
> security.
> 
> 2) The authentication library does not properly invalidate supplied
> session tokens, which can be exploited to hijack a user's session.
> 
> 3) Certain unspecified input passed to the "Indexed Search Engine"
> system extension is not properly sanitised before being used to
> invoke commands. This can be exploited to inject and execute
> arbitrary shell commands.
> 
> 4) Input passed via the name and content of files to the "Indexed
> Search Engine" system extension is not properly sanitised before
> being returned to the user. This can be exploited to execute
> arbitrary HTML and script code in a user's browser session in context
> of an affected site.
> 
> 5) Certain unspecified input passed to the Workspace module is not
> properly sanitised before being returned to the user. This can be
> exploited to execute arbitrary HTML and script code in a user's
> browser session in context of an affected site.
> 
> Note: It is also reported that certain unspecified input passed to
> test scripts of the "ADOdb" system extension is not properly
> sanitised before being returned to the user. This can be exploited to
> execute arbitrary HTML and script code in a user's browser session in
> context of an affected website.
> 
> SOLUTION:
> Update to Typo3 version 4.0.10, 4.1.8, or 4.2.4.
> 
> Generate a new encryption key (see vendor's advisory for more
> information).
> 
> PROVIDED AND/OR DISCOVERED BY:
> The vendor credits:
> 1) Chris John Riley of Raiffeisen Informatik, CERT Security
> Competence Center Zwettl
> 2) Marcus Krause
> 3, 4) Mads Olesen
> 5) Daniel Fabian, SEC Consult
> 
> ORIGINAL ADVISORY:
> TYPO3-SA-2009-001:
> http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-001/

If you fix the vulnerability please also make sure to include the CVE id
(if available) in the changelog entry.

[1]http://secunia.com/advisories/33617/

Cheers,
Giuseppe

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkl4IpcACgkQNxpp46476ar0ngCfSRgis+Em7SqxFn/3biLtqRVt
/noAn0W0Y1T7EDOytyIfw4l63Ix+3yEE
=PAgw
-----END PGP SIGNATURE-----




Bug marked as found in version 4.0.2+debian-5. Request was from Christian Welzel <gawain@camlann.de> to control@bugs.debian.org. (Thu, 22 Jan 2009 10:51:03 GMT) Full text and rfc822 format available.

Bug marked as found in version 4.2.3-1. Request was from Christian Welzel <gawain@camlann.de> to control@bugs.debian.org. (Thu, 22 Jan 2009 10:51:04 GMT) Full text and rfc822 format available.

Reply sent to Nico Golde <nion@debian.org>:
You have taken responsibility. (Thu, 22 Jan 2009 17:12:14 GMT) Full text and rfc822 format available.

Notification sent to Giuseppe Iuculano <giuseppe@iuculano.it>:
Bug acknowledged by developer. (Thu, 22 Jan 2009 17:12:14 GMT) Full text and rfc822 format available.

Message #14 received at 512608-done@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 512608-done@bugs.debian.org
Subject: closing
Date: Thu, 22 Jan 2009 18:08:24 +0100
[Message part 1 (text/plain, inline)]
Version: 4.2.4-1

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Bug reopened, originator not changed. Request was from Holger Levsen <holger@layer-acht.org> to control@bugs.debian.org. (Thu, 22 Jan 2009 21:39:02 GMT) Full text and rfc822 format available.

Bug marked as found in version 4.2.3-1. Request was from Holger Levsen <holger@layer-acht.org> to control@bugs.debian.org. (Thu, 22 Jan 2009 21:39:03 GMT) Full text and rfc822 format available.

Bug marked as found in version 4.0.2+debian-5. Request was from Holger Levsen <holger@layer-acht.org> to control@bugs.debian.org. (Thu, 22 Jan 2009 21:39:04 GMT) Full text and rfc822 format available.

Bug marked as fixed in version 4.0.2+debian-6. Request was from Holger Levsen <holger@layer-acht.org> to control@bugs.debian.org. (Thu, 22 Jan 2009 21:54:02 GMT) Full text and rfc822 format available.

Reply sent to Christian Welzel <gawain@camlann.de>:
You have taken responsibility. (Fri, 23 Jan 2009 15:12:10 GMT) Full text and rfc822 format available.

Notification sent to Giuseppe Iuculano <giuseppe@iuculano.it>:
Bug acknowledged by developer. (Fri, 23 Jan 2009 15:12:10 GMT) Full text and rfc822 format available.

Message #27 received at 512608-close@bugs.debian.org (full text, mbox):

From: Christian Welzel <gawain@camlann.de>
To: 512608-close@bugs.debian.org
Subject: Bug#512608: fixed in typo3-src 4.2.4-1
Date: Fri, 23 Jan 2009 14:47:16 +0000
Source: typo3-src
Source-Version: 4.2.4-1

We believe that the bug you reported is fixed in the latest version of
typo3-src, which is due to be installed in the Debian FTP archive:

typo3-src-4.2_4.2.4-1_all.deb
  to pool/main/t/typo3-src/typo3-src-4.2_4.2.4-1_all.deb
typo3-src_4.2.4-1.diff.gz
  to pool/main/t/typo3-src/typo3-src_4.2.4-1.diff.gz
typo3-src_4.2.4-1.dsc
  to pool/main/t/typo3-src/typo3-src_4.2.4-1.dsc
typo3-src_4.2.4.orig.tar.gz
  to pool/main/t/typo3-src/typo3-src_4.2.4.orig.tar.gz
typo3_4.2.4-1_all.deb
  to pool/main/t/typo3-src/typo3_4.2.4-1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 512608@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christian Welzel <gawain@camlann.de> (supplier of updated typo3-src package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 22 Jan 2009 12:00:00 +0100
Source: typo3-src
Binary: typo3 typo3-src-4.2
Architecture: source all
Version: 4.2.4-1
Distribution: unstable
Urgency: high
Maintainer: Christian Welzel <gawain@camlann.de>
Changed-By: Christian Welzel <gawain@camlann.de>
Description: 
 typo3      - Powerful content management framework (Meta package)
 typo3-src-4.2 - Powerful content management framework (Core)
Closes: 512608
Changes: 
 typo3-src (4.2.4-1) unstable; urgency=high
 .
   * New upstream release.
     - fixes TYPO3 Security Bulletin TYPO3-SA-2009-001: Multiple vulnerabilities
       in TYPO3 Core (Closes: 512608)
   * Updated package description.
   * Updated copyright file to list the license of two icons.
Checksums-Sha1: 
 d79ec3d523491553bf509b280b18e62047b588fd 980 typo3-src_4.2.4-1.dsc
 6165fd8b0e22a0a5ea9658cf1917c9f9999c485e 8143390 typo3-src_4.2.4.orig.tar.gz
 5e8acc2656caf9423cbaf989a5dd6fb0feda54ce 108502 typo3-src_4.2.4-1.diff.gz
 500b5a17ab52739ced9315e541e6b6d073180e75 133372 typo3_4.2.4-1_all.deb
 e94a21f948f7b78a4806a192479a291f306b0e28 8195376 typo3-src-4.2_4.2.4-1_all.deb
Checksums-Sha256: 
 d26d44b81eab53bc16b9899e6b65f3ee09912535ebe99aed68a441695f794c81 980 typo3-src_4.2.4-1.dsc
 a6551239ea33bc5fa351964fc5d4114a1bdd8286061c22aac3f1021c8d74b32a 8143390 typo3-src_4.2.4.orig.tar.gz
 d8895e06f8e5c828f04bb3e763cf9f02512ca2daf0fb2b7a0ba55700305366b0 108502 typo3-src_4.2.4-1.diff.gz
 edc8c35256bfbe3971847164e7c8f46b445e97a92551b1d7961dd29ec6ee5eb5 133372 typo3_4.2.4-1_all.deb
 7de8750033e65f32a427ebb423efc88dcc959a95d3b14a13068c50d84ec6b760 8195376 typo3-src-4.2_4.2.4-1_all.deb
Files: 
 0703c94488fea193f92cf93a9ca139c6 980 web optional typo3-src_4.2.4-1.dsc
 82ce83b665e3b19a823442549c138ddf 8143390 web optional typo3-src_4.2.4.orig.tar.gz
 89664d0b9cc0bec0146134e8a6748a77 108502 web optional typo3-src_4.2.4-1.diff.gz
 3a6a3dc2f9bfdd78f3bc076ab37add8b 133372 web optional typo3_4.2.4-1_all.deb
 b7e59f88a962c3671ff086634afd52e5 8195376 web optional typo3-src-4.2_4.2.4-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFJec4oUHLQNqxYNSARAt7dAKDBZCQU39IdnQmuOXHtogPwIfFUDQCgqL81
r4tTTuLj/DsybzqiiZjrX9w=
=hDtz
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 23 Feb 2009 07:30:12 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 07:05:38 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.