Your message dated Fri, 08 Mar 2013 17:32:45 +0000 with message-id <e1ue19x-00060z...@franck.debian.org> and subject line Bug#702574: fixed in typo3-src 4.5.19+dfsg1-5 has caused the Debian Bug report #702574, regarding TYPO3-CORE-SA-2013-001: SQL Injection and Open Redirection in TYPO3 Core to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 702574: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702574 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: typo3-src Severity: critical Tags: security It has been discovered that TYPO3 Core is susceptible to SQL Injection and Open Redirection Component Type: TYPO3 Core Affected Versions: 4.5.0 up to 4.5.23, 4.6.0 up to 4.6.16, 4.7.0 up to 4.7.8 and 6.0.0 up to 6.0.2 Vulnerability Types: SQL Injection, Open Redirection Overall Severity: High Release Date: March 6, 2013 Vulnerable subcomponent: Extbase Framework Vulnerability Type: SQL Injection Severity: Critical Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:C/I:C/A:N/E:H/RL:O/RC:C Problem Description: Failing to sanitize user input, the Extbase database abstraction layer is susceptible to SQL Injection. TYPO3 sites which have no Extbase extensions installed are not affected. Extbase extensions are affected if they use the Query Object Model and relation values are user generated input. (e.g. : $query->contains('model.categories', $userProvidedValue) ) Note: It has been reported to the TYPO3 Security Team that this problem is known and exploited in the wild. Vulnerable subcomponent: Access tracking mechanism Vulnerability Type: Open Redirection Severity: Medium Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:H/RL:O/RC:C Problem Description: Failing to validate user provided input, the access tracking mechanism allows redirects to arbitrary URLs. Important Notes: To fix this vulnerability, we had to break existing behaviour of TYPO3 sites that use the access tracking mechanism (jumpurl feature) to transform links to external sites. The link generation has been changed to include a hash that is checked before redirecting to an external URL. This means that old links that have been distributed (e.g. by a newsletter) will not work any more. If you are using the jumpurl feature you need to do the following: lookup more information on http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2013-001/ -- MfG, Christian Welzel GPG-Key: http://www.camlann.de/de/pgpkey.html Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15
--- End Message ---
--- Begin Message ---Source: typo3-src Source-Version: 4.5.19+dfsg1-5 We believe that the bug you reported is fixed in the latest version of typo3-src, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 702...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Christian Welzel <gaw...@camlann.de> (supplier of updated typo3-src package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 08 Mar 2013 17:02:05 +0100 Source: typo3-src Binary: typo3-src-4.5 typo3-database typo3-dummy typo3 Architecture: source all Version: 4.5.19+dfsg1-5 Distribution: unstable Urgency: low Maintainer: Christian Welzel <gaw...@camlann.de> Changed-By: Christian Welzel <gaw...@camlann.de> Description: typo3 - web content management system (meta) typo3-database - web content management system (database) typo3-dummy - web content management system (basic site structure) typo3-src-4.5 - web content management system (core) Closes: 702574 Changes: typo3-src (4.5.19+dfsg1-5) unstable; urgency=low . * Added patch for TYPO3-SA-2013-001. (Closes: #702574) * Set patch level version to -pl.4.5.25. Checksums-Sha1: 560985208fca743574aeb29cf7902d1ca624a4d5 2056 typo3-src_4.5.19+dfsg1-5.dsc b93098c7446b593b1977ad58e9bd07871661c8b2 391828 typo3-src_4.5.19+dfsg1-5.debian.tar.gz 1c16dd9e0768fa3238068571c8a3cd19647f8275 20071780 typo3-src-4.5_4.5.19+dfsg1-5_all.deb 577751e57c56ec3899a06a057a987f9832012226 281972 typo3-database_4.5.19+dfsg1-5_all.deb 62a00ff5b7595d9b1d1c52143f79a4adab48e0cb 289994 typo3-dummy_4.5.19+dfsg1-5_all.deb e8c5c62b96275761bb9669335f003932fa18adef 1384 typo3_4.5.19+dfsg1-5_all.deb Checksums-Sha256: 4bcef729e53e8fc954be9f3966dab5f2008aced38f3605aaa52450e3027825b4 2056 typo3-src_4.5.19+dfsg1-5.dsc 5329fa20761ef59ea3d4a7f91fbdb45931a80c4e8717e29efbdcf1528c586ebe 391828 typo3-src_4.5.19+dfsg1-5.debian.tar.gz aa7c03923e324e3a842d6e98d47d5251055c17b0ea67577d291606acf5e2f3e6 20071780 typo3-src-4.5_4.5.19+dfsg1-5_all.deb b2c57cf30dd9c7372ade7a1725e5ca37b656230ecfa4d54f44e4702e00414814 281972 typo3-database_4.5.19+dfsg1-5_all.deb 0651135fced9e618400504c539bc55a97aa9309194181b9ab6c660f6c709f8f0 289994 typo3-dummy_4.5.19+dfsg1-5_all.deb d011896d82aa250fae32290b5af627a26b256e10bd3399785eb9d133ba2d7546 1384 typo3_4.5.19+dfsg1-5_all.deb Files: a773914047196f028956aaa0aa68bf1a 2056 web optional typo3-src_4.5.19+dfsg1-5.dsc 05f10ecfd56a140df298e1080cd4f894 391828 web optional typo3-src_4.5.19+dfsg1-5.debian.tar.gz 2e6634a75f0da15cdcd7a465044cd630 20071780 web optional typo3-src-4.5_4.5.19+dfsg1-5_all.deb 11ccc939cadfe505d6be58c3ccb1a1d1 281972 web optional typo3-database_4.5.19+dfsg1-5_all.deb e5ed7c934ff45181237445c4e494e3bf 289994 web optional typo3-dummy_4.5.19+dfsg1-5_all.deb e22fe918ea5e72b82dfa0b8c4058d43c 1384 web optional typo3_4.5.19+dfsg1-5_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIVAwUBUTocw41SzelRF+EZAQrXLw/8DyyhXPQQmIILKlf16fkl2J1Kcbu+1iia GWqT7LtAgMq5JelgfthlZ/N0X0fhUdvscXFfeH/v6VW4oLOx/8QpyU8SWye7KRbc SvfEZLFqApi+zsQtipYdYgZ0vcNJdL0iMXqFZPv5eMYK/YvulvpReblpRqRFQVhR 6RuXsVkxQ35GVVpO+JGllPzTaiCKwZkz+FD1mp/9uIYUx6cx0VvwKI4mhhxja3yW vJR9ctri40FpiVxto40lkAug2FJho935oQ+5Z+zuLNp0aMw/boJpG6QlSOlR2Ux0 +u1WsPF5eGr8T0COavGTvRdLU/W7Mq1+gRZ23x1gPD/lkHTr6NuL16SSBYhTG6sr MVHeOkCFUKy/8DhkQRnnK4ZAkgHgg4EvarYUP6BP3XNSieS2ZHJlbtCyUKmqTTpd SAsGzJz1z7an+7Wg3Osac5RTpYEzJWqZSK4s0l2o0uFudqc3fsxMRl5pbm21CeCE U3vaxqU8X1ThPRtcrMe7VkLSkEJsKpwHPS9uSZ/KwwVPpUbCjWsCSu5spFksd7zJ rDX8BOkvy7Or1wS0Ew6AZOOiedf1Bp+7+WvZBVny1kSfBAmflDuIVDv2iArlH0U4 RjcqCSFiHNlrpw+P5liOzZ4A0S63PtwCfnLou2gNSrbKyh9xGvE1Gyz7AwtIs2WX C3RWN6vwBWo= =ldNJ -----END PGP SIGNATURE-----
--- End Message ---
