Debian Bug report logs - #552020
TYPO3 Security Bulletin TYPO3-SA-2009-016: Multiple vulnerabilities in TYPO3 Core

version graph

Package: typo3-src; Maintainer for typo3-src is Christian Welzel <gawain@camlann.de>;

Reported by: gawain@camlann.de

Date: Thu, 22 Oct 2009 19:39:01 UTC

Severity: critical

Tags: security

Found in versions 4.2.9-1, 4.2.5-1+lenny1, 4.3.0~beta1-1

Fixed in versions typo3-src/4.3.0~beta2-1, typo3-src/4.2.10-1, typo3-src/4.2.5-1+lenny2, typo3-src/4.0.2+debian-9

Done: Christian Welzel <gawain@camlann.de>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Christian Welzel <gawain@camlann.de>:
Bug#552020; Package typo3-src. (Thu, 22 Oct 2009 19:39:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to gawain@camlann.de:
New Bug report received and forwarded. Copy sent to Christian Welzel <gawain@camlann.de>. (Thu, 22 Oct 2009 19:39:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Christian Welzel <gawain@camlann.de>
To: submit@bugs.debian.org
Subject: TYPO3 Security Bulletin TYPO3-SA-2009-016: Multiple vulnerabilities in TYPO3 Core
Date: Thu, 22 Oct 2009 19:51:42 +0200
Package: typo3-src      
Severity: critical
Tags: security


TYPO3 Security Bulletin TYPO3-SA-2009-016: Multiple vulnerabilities in TYPO3 Core

Vulnerability Types: SQL injection, Cross-site scripting (XSS), Information disclosure,
Frame hijacking, Remote shell command execution and Insecure Install Tool
authentication/session handling. 

Problem Description 1: By entering malcious content into a tt_content form element, 
a backend user could recalculate the encryption key. This knowledge could be used
 to attack TYPO3 mechanisms that were protected by this key. A valid backend login 
is required to exploit this vulnerability. 

Problem Description 2: Failing to sanitize user input the TYPO3 backend is susceptible 
to XSS attacs in several places. A valid backend login is required to exploit these
vulnerabilities. 

Problem Description 3: By manipulating URL parameters it is possible to include 
arbitrary websites in the TYPO3 backend framesets. A valid backend login is required
 to exploit this vulnerability. 

Problem Description 4: By uploading files with malicious filenames an editor could 
execute arbitrary shell commands on the server the TYPO3 installation is located. 
A valid backend login is required to exploit this vulnerability.  

Problem Description 5: Failing to sanitize URL parameters, TYPO3 is susceptible to SQL
injection in the frontend editing feature (the traditional one, not feeditadvanced that 
will be shipped with TYPO3 4.3). A valid backend login and activated frontend editing
is required to exploit this vulnerability. 

Problem Description 6: The sanitizing algorithm of the API function t3lib_div::quoteJSvalue 
wasn't sufficient, so that an an attacker could inject specially crafted HTML or JavaScript 
code. Since this function can be used in backend modules as well as in frontend 
extensions, this vulnerability could also be exploited without the need of having a
vaild backend login. 

Problem Description 7: Failing to sanitize URL parameters the Frontend Login Box box is 
susceptible to XSS. 

Problem Description 8: It is possible to gain access to the Install Tool by only knowing 
the md5 hash of the Install Tool password.

Problem Description 9: Failing to sanitize URL parameters, the Install Tool is susceptible 
to Cross-site scripting attacks. 

For more information see the Typo3 Bulletin at:
<https://typo3.org/teams/security/security-bulletins/typo3-sa-2009-016/>

-- 
 MfG, Christian Welzel

  GPG-Key:     http://www.camlann.de/key.asc
  Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15




Bug Marked as found in versions 4.2.9-1. Request was from Holger Levsen <holger@layer-acht.org> to control@bugs.debian.org. (Sat, 24 Oct 2009 12:00:07 GMT) Full text and rfc822 format available.

Bug Marked as found in versions 4.3.0~beta1-1. Request was from Holger Levsen <holger@layer-acht.org> to control@bugs.debian.org. (Sat, 24 Oct 2009 12:00:08 GMT) Full text and rfc822 format available.

Bug Marked as found in versions 4.2.5-1+lenny1. Request was from Holger Levsen <holger@layer-acht.org> to control@bugs.debian.org. (Sat, 24 Oct 2009 12:00:08 GMT) Full text and rfc822 format available.

Reply sent to Christian Welzel <gawain@camlann.de>:
You have taken responsibility. (Sat, 24 Oct 2009 12:45:10 GMT) Full text and rfc822 format available.

Notification sent to gawain@camlann.de:
Bug acknowledged by developer. (Sat, 24 Oct 2009 12:45:10 GMT) Full text and rfc822 format available.

Message #16 received at 552020-close@bugs.debian.org (full text, mbox):

From: Christian Welzel <gawain@camlann.de>
To: 552020-close@bugs.debian.org
Subject: Bug#552020: fixed in typo3-src 4.3.0~beta2-1
Date: Sat, 24 Oct 2009 12:17:35 +0000
Source: typo3-src
Source-Version: 4.3.0~beta2-1

We believe that the bug you reported is fixed in the latest version of
typo3-src, which is due to be installed in the Debian FTP archive:

typo3-database_4.3.0~beta2-1_all.deb
  to pool/main/t/typo3-src/typo3-database_4.3.0~beta2-1_all.deb
typo3-src-4.3_4.3.0~beta2-1_all.deb
  to pool/main/t/typo3-src/typo3-src-4.3_4.3.0~beta2-1_all.deb
typo3-src_4.3.0~beta2-1.diff.gz
  to pool/main/t/typo3-src/typo3-src_4.3.0~beta2-1.diff.gz
typo3-src_4.3.0~beta2-1.dsc
  to pool/main/t/typo3-src/typo3-src_4.3.0~beta2-1.dsc
typo3-src_4.3.0~beta2.orig.tar.gz
  to pool/main/t/typo3-src/typo3-src_4.3.0~beta2.orig.tar.gz
typo3_4.3.0~beta2-1_all.deb
  to pool/main/t/typo3-src/typo3_4.3.0~beta2-1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 552020@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christian Welzel <gawain@camlann.de> (supplier of updated typo3-src package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 22 Oct 2009 22:00:00 +0100
Source: typo3-src
Binary: typo3-src-4.3 typo3-database typo3
Architecture: source all
Version: 4.3.0~beta2-1
Distribution: experimental
Urgency: high
Maintainer: Christian Welzel <gawain@camlann.de>
Changed-By: Christian Welzel <gawain@camlann.de>
Description: 
 typo3      - The enterprise level open source WebCMS (Meta)
 typo3-database - TYPO3 - The enterprise level open source WebCMS (Database)
 typo3-src-4.3 - TYPO3 - The enterprise level open source WebCMS (Core)
Closes: 552020
Changes: 
 typo3-src (4.3.0~beta2-1) experimental; urgency=high
 .
   * New upstream release.
     - fixes "TYPO3 Security Bulletin TYPO3-SA-2009-016: Multiple
       vulnerabilities in TYPO3 Core" (Closes: 552020)
Checksums-Sha1: 
 4bb9c6efda3a4ad8d31f2ae214533f8718a61269 1045 typo3-src_4.3.0~beta2-1.dsc
 49a33a2b6bcf293a5f42d06a81775d30730ad651 11712487 typo3-src_4.3.0~beta2.orig.tar.gz
 744d9b66d968573c7f848e7c2df9b44d4a65cf48 255079 typo3-src_4.3.0~beta2-1.diff.gz
 20442a47f8eebef2f57657b6df3ced725e6bc32a 11523590 typo3-src-4.3_4.3.0~beta2-1_all.deb
 ce80b6479135e34858648148f5703d8663ddf019 318280 typo3-database_4.3.0~beta2-1_all.deb
 6c1f2fb341e10c7731c39ccdad1a872ab0f839b1 1256 typo3_4.3.0~beta2-1_all.deb
Checksums-Sha256: 
 772707e0ad3a0ef5c626d4bea1267ca634788293552463d3f683f9d84510b489 1045 typo3-src_4.3.0~beta2-1.dsc
 f527b5eb97840fd62ef79fb43719293402b611c2318a82894f186204f4bddf0b 11712487 typo3-src_4.3.0~beta2.orig.tar.gz
 0a73c6de7269eaec66a706f192cccabf03fd0f7402189492189ce38d7cb0f67b 255079 typo3-src_4.3.0~beta2-1.diff.gz
 7676319eae71293b6b2ca299e8bb1dc5cc521ea988e2613d9f63884a5db36db4 11523590 typo3-src-4.3_4.3.0~beta2-1_all.deb
 ada86b7456d87775a5937b0a488b5deeba7f130ca8f71973b7e9cae81dde870b 318280 typo3-database_4.3.0~beta2-1_all.deb
 2aae628b5f99ea3430d4476a01b560ee503c3941e92130c6535dca89ac6256e5 1256 typo3_4.3.0~beta2-1_all.deb
Files: 
 64856154a5765c033109984999bc8a42 1045 web optional typo3-src_4.3.0~beta2-1.dsc
 2e78dc85cff04b9d67be85aaf3547ac2 11712487 web optional typo3-src_4.3.0~beta2.orig.tar.gz
 bd8fccf6aac1ae4cbecffb9a8c8d6da8 255079 web optional typo3-src_4.3.0~beta2-1.diff.gz
 545a8e5d4618835fa97c2a6a3c22f983 11523590 web optional typo3-src-4.3_4.3.0~beta2-1_all.deb
 2a5f7045d9160582151acaa199801029 318280 web optional typo3-database_4.3.0~beta2-1_all.deb
 adb6596d6671fc29de78d5e18617de21 1256 web optional typo3_4.3.0~beta2-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFK4uyxUHLQNqxYNSARAq1aAKCTSTZaS/coMMAbmVe0Pw0o9v8aEwCeMbPV
wT7eZ52MvdEL4CFEjI6n1g8=
=AJ3g
-----END PGP SIGNATURE-----





Reply sent to Christian Welzel <gawain@camlann.de>:
You have taken responsibility. (Sat, 24 Oct 2009 12:45:12 GMT) Full text and rfc822 format available.

Notification sent to gawain@camlann.de:
Bug acknowledged by developer. (Sat, 24 Oct 2009 12:45:12 GMT) Full text and rfc822 format available.

Message #21 received at 552020-close@bugs.debian.org (full text, mbox):

From: Christian Welzel <gawain@camlann.de>
To: 552020-close@bugs.debian.org
Subject: Bug#552020: fixed in typo3-src 4.2.10-1
Date: Sat, 24 Oct 2009 12:17:23 +0000
Source: typo3-src
Source-Version: 4.2.10-1

We believe that the bug you reported is fixed in the latest version of
typo3-src, which is due to be installed in the Debian FTP archive:

typo3-src-4.2_4.2.10-1_all.deb
  to pool/main/t/typo3-src/typo3-src-4.2_4.2.10-1_all.deb
typo3-src_4.2.10-1.diff.gz
  to pool/main/t/typo3-src/typo3-src_4.2.10-1.diff.gz
typo3-src_4.2.10-1.dsc
  to pool/main/t/typo3-src/typo3-src_4.2.10-1.dsc
typo3-src_4.2.10.orig.tar.gz
  to pool/main/t/typo3-src/typo3-src_4.2.10.orig.tar.gz
typo3_4.2.10-1_all.deb
  to pool/main/t/typo3-src/typo3_4.2.10-1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 552020@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christian Welzel <gawain@camlann.de> (supplier of updated typo3-src package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 22 Oct 2009 22:00:00 +0100
Source: typo3-src
Binary: typo3 typo3-src-4.2
Architecture: source all
Version: 4.2.10-1
Distribution: unstable
Urgency: high
Maintainer: Christian Welzel <gawain@camlann.de>
Changed-By: Christian Welzel <gawain@camlann.de>
Description: 
 typo3      - Powerful content management framework (Meta package)
 typo3-src-4.2 - Powerful content management framework (Core)
Closes: 552020
Changes: 
 typo3-src (4.2.10-1) unstable; urgency=high
 .
   * New upstream release.
     - fixes "TYPO3 Security Bulletin TYPO3-SA-2009-016: Multiple
       vulnerabilities in TYPO3 Core" (Closes: 552020)
Checksums-Sha1: 
 12d1491988196812c82346f4ad8b73b591c1830e 987 typo3-src_4.2.10-1.dsc
 ba6fa68267bf924df2f3ddfffee7dac4fc51f800 8155862 typo3-src_4.2.10.orig.tar.gz
 d1a59783a5d7eb18d0dc9144827a8bef22d03282 108718 typo3-src_4.2.10-1.diff.gz
 4471a17c2629f8d38d47470b89f728f02b27ed2a 139048 typo3_4.2.10-1_all.deb
 b343d78aa7a7b95d98fe9102fa5e40f0be228bbd 8205562 typo3-src-4.2_4.2.10-1_all.deb
Checksums-Sha256: 
 50f9e73efd4a5943baf9deb4d14ce50bd92613f75ce3c6da06849f74cfe18f1e 987 typo3-src_4.2.10-1.dsc
 d64b78314e67a1b03e8a720b655ffd04cec45b31c9e3e603605fd70a5556b6e7 8155862 typo3-src_4.2.10.orig.tar.gz
 987987b0abd307162b66bc2b841b20d7cdfecb712185d3e82e378f8757e002d3 108718 typo3-src_4.2.10-1.diff.gz
 14af0443c2ab9c52228d58fc1eca420acaa6e25909d459f082626383febc24be 139048 typo3_4.2.10-1_all.deb
 14a2e1dd3c4b89f8a68bfa7da97c8ad7e7624a2f900ab610fc3a95a1efb0a791 8205562 typo3-src-4.2_4.2.10-1_all.deb
Files: 
 ab1b418e337e2cd4f9a17d120a38b0b1 987 web optional typo3-src_4.2.10-1.dsc
 b53a1d9faeff6a872efa9104946cdb87 8155862 web optional typo3-src_4.2.10.orig.tar.gz
 2ad72958fed81ab5c4d3b56ecbaafa6c 108718 web optional typo3-src_4.2.10-1.diff.gz
 74e0a0ab2b27a5526befa5e8fcf02f81 139048 web optional typo3_4.2.10-1_all.deb
 df2a6e9fc2d44b7ca9fd614d9f7a131c 8205562 web optional typo3-src-4.2_4.2.10-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFK4uwdUHLQNqxYNSARAtc7AJ9QvZaieI4r7l9tduCRgIHTV8tzogCgrg+r
FAN6QGZug+QL+ZpHMPsun2Q=
=Znlw
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Christian Welzel <gawain@camlann.de>:
Bug#552020; Package typo3-src. (Mon, 26 Oct 2009 17:27:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Simon Hürlimann <simon.huerlimann@sbszh.ch>:
Extra info received and forwarded to list. Copy sent to Christian Welzel <gawain@camlann.de>. (Mon, 26 Oct 2009 17:27:02 GMT) Full text and rfc822 format available.

Message #26 received at 552020@bugs.debian.org (full text, mbox):

From: Simon Hürlimann <simon.huerlimann@sbszh.ch>
To: 552020@bugs.debian.org
Subject: Will this be fixed in the stable version, too?
Date: Mon, 26 Oct 2009 16:00:32 +0100
Hi all

This bug has been marked as found in version 4.2.5-1+lenny1 as shipped 
by Lenny. But it looks like there's no fixed version available for the 
stable distribution, yet. But this bug is marked as done.

Just wanted to ask if this version is not vulnerable or a fix is in the 
work.

Thank you all for this wonderful distribution!

Simon Hürlimann
Swiss Library for the Blind and Visually Impaired




Information forwarded to debian-bugs-dist@lists.debian.org, Christian Welzel <gawain@camlann.de>:
Bug#552020; Package typo3-src. (Tue, 27 Oct 2009 00:18:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Holger Levsen <holger@layer-acht.org>:
Extra info received and forwarded to list. Copy sent to Christian Welzel <gawain@camlann.de>. (Tue, 27 Oct 2009 00:18:03 GMT) Full text and rfc822 format available.

Message #31 received at 552020@bugs.debian.org (full text, mbox):

From: Holger Levsen <holger@layer-acht.org>
To: Simon Hürlimann <simon.huerlimann@sbszh.ch>, 552020@bugs.debian.org
Subject: Re: Bug#552020: Will this be fixed in the stable version, too?
Date: Mon, 26 Oct 2009 20:12:22 +0200
[Message part 1 (text/plain, inline)]
Hi Simon,

On Montag, 26. Oktober 2009, Simon Hürlimann wrote:
> This bug has been marked as found in version 4.2.5-1+lenny1 as shipped
> by Lenny. But it looks like there's no fixed version available for the
> stable distribution, yet. But this bug is marked as done.
> Just wanted to ask if this version is not vulnerable or a fix is in the
> work.

fix is in the works. should be ready real soon now, until then you can grab 
fixed packages from http://typo3.camlann.de/

> Thank you all for this wonderful distribution!

:-) Thanks.


regards,
	Holger
[signature.asc (application/pgp-signature, inline)]

Reply sent to Christian Welzel <gawain@camlann.de>:
You have taken responsibility. (Sat, 05 Dec 2009 21:54:08 GMT) Full text and rfc822 format available.

Notification sent to gawain@camlann.de:
Bug acknowledged by developer. (Sat, 05 Dec 2009 21:54:09 GMT) Full text and rfc822 format available.

Message #36 received at 552020-close@bugs.debian.org (full text, mbox):

From: Christian Welzel <gawain@camlann.de>
To: 552020-close@bugs.debian.org
Subject: Bug#552020: fixed in typo3-src 4.2.5-1+lenny2
Date: Sat, 05 Dec 2009 21:51:35 +0000
Source: typo3-src
Source-Version: 4.2.5-1+lenny2

We believe that the bug you reported is fixed in the latest version of
typo3-src, which is due to be installed in the Debian FTP archive:

typo3-src-4.2_4.2.5-1+lenny2_all.deb
  to main/t/typo3-src/typo3-src-4.2_4.2.5-1+lenny2_all.deb
typo3-src_4.2.5-1+lenny2.diff.gz
  to main/t/typo3-src/typo3-src_4.2.5-1+lenny2.diff.gz
typo3-src_4.2.5-1+lenny2.dsc
  to main/t/typo3-src/typo3-src_4.2.5-1+lenny2.dsc
typo3_4.2.5-1+lenny2_all.deb
  to main/t/typo3-src/typo3_4.2.5-1+lenny2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 552020@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christian Welzel <gawain@camlann.de> (supplier of updated typo3-src package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 22 Oct 2009 22:00:00 +0100
Source: typo3-src
Binary: typo3 typo3-src-4.2
Architecture: source all
Version: 4.2.5-1+lenny2
Distribution: stable-security
Urgency: high
Maintainer: Christian Welzel <gawain@camlann.de>
Changed-By: Christian Welzel <gawain@camlann.de>
Description: 
 typo3      - Powerful content management framework (Meta package)
 typo3-src-4.2 - Powerful content management framework (Core)
Closes: 552020
Changes: 
 typo3-src (4.2.5-1+lenny2) stable-security; urgency=high
 .
   * Added patches (backported from 4.2.10) to fix the security issues
     from "TYPO3 Security Bulletin TYPO3-SA-2009-016: Multiple
     vulnerabilities in TYPO3 Core" with the following CVEs assigned:
      CVE-2009-3628 TYPO3 Information disclosure
      CVE-2009-3629 TYPO3 Cross-site scripting
      CVE-2009-3630 TYPO3 Frame hijacking
      CVE-2009-3631 TYPO3 Remote shell command execution
      CVE-2009-3632 TYPO3 SQL injection
      CVE-2009-3633 TYPO3 API function t3lib_div::quoteJSvalue XSS
      CVE-2009-3634 TYPO3 Frontend Login Box (felogin) XSS
      CVE-2009-3635 TYPO3 Insecure Authentication and Session Handling
      CVE-2009-3636 TYPO3 Install Tool XSS
     (Closes: 552020).
Checksums-Sha1: 
 d2fbebe02d85ae433581d5b05dd1a745cee0356c 1008 typo3-src_4.2.5-1+lenny2.dsc
 7ea2716fefafee6fee0cd4a92b5f48b4c7173cd2 122866 typo3-src_4.2.5-1+lenny2.diff.gz
 339c6ed5cfda1c1837a1eebecffd25628abc4d6b 133854 typo3_4.2.5-1+lenny2_all.deb
 211fc4730071526e624af07d0109e556418af518 8201724 typo3-src-4.2_4.2.5-1+lenny2_all.deb
Checksums-Sha256: 
 f8c131e0d6387e837298ea2b3a8386b951322c6e1af5fd613b119c6de80c4b5a 1008 typo3-src_4.2.5-1+lenny2.dsc
 ea801f0e99198cdf98aa3f19cfc12dbde063d8d3e37cd0aef29e809fa3ff8f27 122866 typo3-src_4.2.5-1+lenny2.diff.gz
 3bab375199e52583b57c94247839ff860e8ea88bedbdcb4c9f9a2b01363deec4 133854 typo3_4.2.5-1+lenny2_all.deb
 5d46c84f27f9705e9304c9196e0b1e9cfddcdc9c3955e38e87840f2f0a2a8d73 8201724 typo3-src-4.2_4.2.5-1+lenny2_all.deb
Files: 
 8980c630529cf34c44f491e4ee6e6e07 1008 web optional typo3-src_4.2.5-1+lenny2.dsc
 d4bce174f2ea2a94834cc0d250b51495 122866 web optional typo3-src_4.2.5-1+lenny2.diff.gz
 04e43a0b661c56a307a06f282f304e43 133854 web optional typo3_4.2.5-1+lenny2_all.deb
 ea85991b8e26953d7ff43080458cc766 8201724 web optional typo3-src-4.2_4.2.5-1+lenny2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFK4w0jUHLQNqxYNSARAlysAJ9WbTDwavbKkVys0h9bLKGqPjwsugCeOOAs
S3J5hUikDpCW/GTz19eH28E=
=/4N8
-----END PGP SIGNATURE-----





Reply sent to Christian Welzel <gawain@camlann.de>:
You have taken responsibility. (Sat, 05 Dec 2009 22:45:03 GMT) Full text and rfc822 format available.

Notification sent to gawain@camlann.de:
Bug acknowledged by developer. (Sat, 05 Dec 2009 22:45:04 GMT) Full text and rfc822 format available.

Message #41 received at 552020-close@bugs.debian.org (full text, mbox):

From: Christian Welzel <gawain@camlann.de>
To: 552020-close@bugs.debian.org
Subject: Bug#552020: fixed in typo3-src 4.0.2+debian-9
Date: Sat, 05 Dec 2009 22:42:09 +0000
Source: typo3-src
Source-Version: 4.0.2+debian-9

We believe that the bug you reported is fixed in the latest version of
typo3-src, which is due to be installed in the Debian FTP archive:

typo3-src-4.0_4.0.2+debian-9_all.deb
  to main/t/typo3-src/typo3-src-4.0_4.0.2+debian-9_all.deb
typo3-src_4.0.2+debian-9.diff.gz
  to main/t/typo3-src/typo3-src_4.0.2+debian-9.diff.gz
typo3-src_4.0.2+debian-9.dsc
  to main/t/typo3-src/typo3-src_4.0.2+debian-9.dsc
typo3_4.0.2+debian-9_all.deb
  to main/t/typo3-src/typo3_4.0.2+debian-9_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 552020@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christian Welzel <gawain@camlann.de> (supplier of updated typo3-src package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 22 Oct 2009 23:30:00 +0100
Source: typo3-src
Binary: typo3 typo3-src-4.0
Architecture: source all
Version: 4.0.2+debian-9
Distribution: oldstable-security
Urgency: high
Maintainer: Christian Welzel <gawain@camlann.de>
Changed-By: Christian Welzel <gawain@camlann.de>
Description: 
 typo3      - Powerful content management framework (Meta package)
 typo3-src-4.0 - Powerful content management framework (Core)
Closes: 552020
Changes: 
 typo3-src (4.0.2+debian-9) oldstable-security; urgency=high
 .
   * Added patches (backported from 4.2.10) to fix the security issues
     from "TYPO3 Security Bulletin TYPO3-SA-2009-016: Multiple
     vulnerabilities in TYPO3 Core" with the following CVEs assigned:
      CVE-2009-3628 TYPO3 Information disclosure
      CVE-2009-3629 TYPO3 Cross-site scripting
      CVE-2009-3630 TYPO3 Frame hijacking
      CVE-2009-3631 TYPO3 Remote shell command execution
      CVE-2009-3632 TYPO3 SQL injection
      CVE-2009-3633 TYPO3 API function t3lib_div::quoteJSvalue XSS
      CVE-2009-3634 TYPO3 Frontend Login Box (felogin) XSS
      CVE-2009-3635 TYPO3 Insecure Authentication and Session Handling
      CVE-2009-3636 TYPO3 Install Tool XSS
     (Closes: 552020).
Files: 
 522ed0d81b54572f24b984a8448d594b 610 web optional typo3-src_4.0.2+debian-9.dsc
 a0f7dee86225e89e4914633d2401e232 32793 web optional typo3-src_4.0.2+debian-9.diff.gz
 ba868af9c67e56ba346233e3473b94c6 77256 web optional typo3_4.0.2+debian-9_all.deb
 030c0d0fa407a74b5d48a24d280e2ce5 7696110 web optional typo3-src-4.0_4.0.2+debian-9_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFK8cM+UHLQNqxYNSARAvCOAKCQzYlrBYukelnpyUQkqsrIMGKLrwCbBPZ4
lF4fFfF4wWCaM6LkdrkXwBE=
=4waN
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 31 Jan 2010 07:30:15 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 06:05:55 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.