Bug#998125: libasound2-plugins: Config file for a52 plugin (60-a52-encoder.conf) produces no/garbled sound via optical digital out (S/PDIF)
Hi there, i also had these sound problems using a TOSLink to my external receiver. Today i compiled the new 1.2.6 packages of libasound2 and libasound2-plugins for bullseye and the 5.1 sound is working again. I use the default 60-a52-encoder.conf fiĺe. -- MfG, Christian Welzel GPG-Key: pub 4096R/5117E119 2011-09-19 Fingerprint: 3688 337C 0D3E 3725 94EC E401 8D52 CDE9 5117 E119
Bug#831935: libjs-swfobject: FTBFS with dpkg-buildpackage -A: dh_install: missing files, aborting
Am 23.07.2016 um 13:15 schrieb Santiago Vila: Patch attached. I prepared a new package. This can be found on mentors, because i cannot upload myself. You can find it here: https://mentors.debian.net/debian/pool/main/libj/libjs-swfobject/libjs-swfobject_2.2+dfsg-2.dsc -- MfG, Christian Welzel GPG-Key: pub 4096R/5117E119 2011-09-19 Fingerprint: 3688 337C 0D3E 3725 94EC E401 8D52 CDE9 5117 E119
Bug#831922: libjs-swfupload: FTBFS with dpkg-buildpackage -A: dh_install: missing files, aborting
Hi, If this is a new upstream, why is this still 2.2.0.1? Because its a fork of the original code. They patched some issues, bit did not raise the version number. I didnt want to confuse people, so i only changed the +ds1 part to +ds2. -- MfG, Christian Welzel GPG-Key: pub 4096R/5117E119 2011-09-19 Fingerprint: 3688 337C 0D3E 3725 94EC E401 8D52 CDE9 5117 E119
Bug#831922: libjs-swfupload: FTBFS with dpkg-buildpackage -A: dh_install: missing files, aborting
Am 23.07.2016 um 12:26 schrieb Santiago Vila: The "build-indep" target is missing. I prepared a new version of the package with new upstream. I cannot upload myself, so please take a look into https://mentors.debian.net/debian/pool/main/libj/libjs-swfupload/libjs-swfupload_2.2.0.1+ds2-1.dsc and upload for me, if all is good. -- MfG, Christian Welzel GPG-Key: pub 4096R/5117E119 2011-09-19 Fingerprint: 3688 337C 0D3E 3725 94EC E401 8D52 CDE9 5117 E119
Bug#803291: prepare for giflib5
Am 02.01.2016 um 10:27 schrieb Matthias Klose: any update on this? Uploaded a new version to m.d.n but cannot upload to archive. See here for more information: http://mentors.debian.net/package/swftools -- MfG, Christian Welzel GPG-Key: pub 4096R/5117E119 2011-09-19 Fingerprint: 3688 337C 0D3E 3725 94EC E401 8D52 CDE9 5117 E119
Bug#803291: prepare for giflib5
Am 28.10.2015 um 15:53 schrieb Matthias Klose: Planning an update of giflib to the current version 5.1.1. Giflib slightly changes it's API, requiring soureful changes. I'll look into this, and fix some other issues with the package on the way. Currently looking for some source for the swf. -- MfG, Christian Welzel GPG-Key: pub 4096R/5117E119 2011-09-19 Fingerprint: 3688 337C 0D3E 3725 94EC E401 8D52 CDE9 5117 E119
Bug#781967: RM: typo3-src -- RoM; abandoned upstream
Package: ftp.debian.org Severity: normal Dear FTP-Team, please remove the source package typo3-src and all its binaries from the archive. The current version 4.5 is outdated and out of (security) maintainance of upstream since this month. -- MfG, Christian Welzel GPG-Key: pub 4096R/5117E119 2011-09-19 Fingerprint: 3688 337C 0D3E 3725 94EC E401 8D52 CDE9 5117 E119 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#766502: TYPO3-CORE-SA-2014-002: Multiple Vulnerabilities in TYPO3 CMS
Package: typo3-src Severity: critical Tags: security It has been discovered that TYPO3 CMS is vulnerable to Denial of Service and Arbitrary Shell Execution! Component Type: TYPO3 CMS Vulnerability Types: Denial of Service, Arbitrary Shell Execution Overall Severity: Medium Release Date: October 22, 2014 Vulnerable subcomponent: OpenID System Extension Vulnerability Type: Denial of Service Affected Versions: Versions 4.5.0 to 4.5.36, 4.7.0 to 4.7.19, 6.1.0 to 6.1.11 and 6.2.0 to 6.2.5 Severity: Medium Related CVE: CVE-2013-4701 Problem Description: The OpenID library that is shipped with TYPO3 allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via XRDS data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. Affected are all TYPO3 installation with system extension openid installed and enabled. Solution: Alternatively disabling openid system extension also fixes the vulnerability in case an update is currently not possible. However it is unlikely but possible that other third party extensions use the OpenID library exposing this TYPO3 installation to this vulnerability again. Therefore updating is strongly recommended. Vulnerable subcomponent: Swiftmailer library Vulnerability Type: Arbitrary Shell Execution Affected Versions: Versions 4.5.0 to 4.5.36, 4.7.0 to 4.7.19, 6.1.0 to 6.1.11 and 6.2.0 to 6.2.5 Severity: Medium Related announcement: Swiftmailer release 5.2.1 Problem Description: The swiftmailer library in use allows to execute arbitrary shell commands if the From header comes from a non-trusted source and no Return-Path is configured. Affected are only TYPO3 installation the configuration option $GLOBALS['TYPO3_CONF_VARS']['MAIL']['transport'] is set to sendmail. Installations with the default configuration are not affected. -- MfG, Christian Welzel GPG-Key: pub 4096R/5117E119 2011-09-19 Fingerprint: 3688 337C 0D3E 3725 94EC E401 8D52 CDE9 5117 E119 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#760541: Please, enable zipfile support
Am 05.09.2014 um 05:49 schrieb David Prévot: I just tried and rebuild the package with libzzip-dev, and it allows me to go a little further, but as3compile then segfault (I don’t know yet if it’s swftools’ fault, or the because of the .swc from the MediaElement.js I’m trying to build. The whole swftools package is not that 64bit safe as it should be. We also had other segfaults because of 32bit initializers. So i could definitely be a bug in as3compile. Unfortunately there is currently no upstream activity. If you find a fix for this bug, i will forward it and add to this pacakge, but do not hope for upstream. By the way, if you have any advice to help build the Flash bits from MediaElement.js, it would be highly appreciated. Package Apache Flex for debian :) -- MfG, Christian Welzel GPG-Key: pub 4096R/5117E119 2011-09-19 Fingerprint: 3688 337C 0D3E 3725 94EC E401 8D52 CDE9 5117 E119 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#749215: TYPO3-CORE-SA-2014-001: Multiple Vulnerabilities in TYPO3 CMS
Package: typo3-src Severity: critical Tags: security It has been discovered that TYPO3 CMS is vulnerable to Cross-Site Scripting, Insecure Unserialize, Improper Session Invalidation, Authentication Bypass, Information Disclosure and Host Spoofing. Component Type: TYPO3 CMS Overall Severity: Medium Release Date: May 22, 2014 Vulnerability Type: Host Spoofing Affected Versions: Versions 4.5.0 to 4.5.33, 4.7.0 to 4.7.18, 6.0.0 to 6.0.13, 6.1.0 to 6.1.8 and 6.2.0 to 6.2.2 Severity: Medium CVE: not assigned yet Problem Description: Failing to properly validate the HTTP host-header TYPO3 CMS is susceptible to host spoofing. TYPO3 uses the HTTP host-header to generate absolute URLs in several places like 404 handling, http(s) enforcement, password reset links and many more. Since the host header itself is provided by the client it can be forged to any value, even in a name based virtual hosts environment. A blog post describes this problem in great detail. Vulnerable subcomponent: Color Picker Wizard Vulnerability Type: Insecure Unserialize Affected Versions: Versions 4.5.0 to 4.5.33, 4.7.0 to 4.7.18, 6.0.0 to 6.0.13 and 6.1.0 to 6.1.8 Severity: Low CVE: not assigned yet Problem Description: Failing to validate authenticity of a passed serialized string, the color picker wizard is susceptible to insecure unserialize, allowing authenticated editors to unserialize arbitrary PHP objects. Vulnerable subcomponent: Backend Vulnerability Type: Cross-Site Scripting Affected Versions: Versions 4.5.0 to 4.5.33, 4.7.0 to 4.7.18, 6.0.0 to 6.0.13, 6.1.0 to 6.1.8 and 6.2.0 to 6.2.2 Severity: Low CVE: not assigned yet Problem Description: Failing to properly encode user input, several backend components are susceptible to Cross-Site Scripting, allowing authenticated editors to inject arbitrary HTML or JavaScript by crafting URL parameters. Vulnerable subcomponent: ExtJS Vulnerability Type: Cross-Site Scripting Affected Versions: Versions 4.5.0 to 4.5.33, 4.7.0 to 4.7.18, 6.0.0 to 6.0.13, 6.1.0 to 6.1.8 and 6.2.0 to 6.2.2 Severity: Medium CVE: not assigned yet Problem Description: The ExtJS JavaScript framework that is shipped with TYPO3 also delivers a flash file to show charts. This file is susceptible to Cross-Site Scripting. This vulnerability can be exploited without any authentication. Vulnerable subcomponent: Authentication Vulnerability Type: Authentication Bypass Affected Versions: All TYPO3 versions not configured to use salted passwords Severity: medium CVE: not assigned yet Problem Description: When the use of salted password is disabled (which is enabled by default since TYPO3 4.6 and required since TYPO3 6.2) passwords for backend access are stored as md5 hash in the database. This hash (e.g. taken from a successful SQL injection) can be used directly to authenticate backend users without knowing or reverse engineering the password. -- MfG, Christian Welzel GPG-Key: pub 4096R/5117E119 2011-09-19 Fingerprint: 3688 337C 0D3E 3725 94EC E401 8D52 CDE9 5117 E119 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#732651: Please remove t1lib dependency
Hi Moritz, nothing needs to be done except dropping the build-dep on libt1-dev. I uploaded a new version to m.d.n: http://mentors.debian.net/debian/pool/main/s/swftools/swftools_0.9.2+git20130725-2.dsc I cannot upload as i am no DD or DM for this package, so please upload it for me. -- MfG, Christian Welzel GPG-Key: pub 4096R/5117E119 2011-09-19 Fingerprint: 3688 337C 0D3E 3725 94EC E401 8D52 CDE9 5117 E119 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#591969: Downgrade
I downgrade this bug to prevend automatic removal from testing. The package itself will be removed from the archive before freeze of jessie. I will upload a new 6.2 package for the new LTS version of typo3 which does not contain any swf. -- MfG, Christian Welzel GPG-Key: pub 4096R/5117E119 2011-09-19 Fingerprint: 3688 337C 0D3E 3725 94EC E401 8D52 CDE9 5117 E119 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#724333: RFS: swftools/0.9.2+git20130725-1
Package: sponsorship-requests Severity: normal Dear mentors, I am looking for a sponsor for my package swftools * Package name: swftools Version : 0.9.2+git20130725-1 * URL : http://www.swftools.org/ * License : GPL Section : utils It builds those binary packages: swftools - Collection of utilities for SWF file manipulation/creation swftools-dbg - Collection of utilities for SWF file manipulation/creation (debug To access further information about this package, please visit the following URL: http://mentors.debian.net/package/swftools Alternatively, one can download the package with dget using this command: dget -x http://mentors.debian.net/debian/pool/main/s/swftools/swftools_0.9.2+git20130725-1.dsc Changes since the last upload: * New version from upstream git: commit b6e946b (Closes: 715912, 715961, 716159, 716366). * Changed build depends from libjpeg8-dev to libjpeg-dev (Closes: 694700). * Bump Standards Version to 3.9.4. * Added Vcs-* header to control. * Added hardening build flags. * Added debug package. The package is lintian clean. -- MfG, Christian Welzel GPG-Key: pub 4096R/5117E119 2011-09-19 Fingerprint: 3688 337C 0D3E 3725 94EC E401 8D52 CDE9 5117 E119 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#720194: TYPO3-CORE-SA-2013-002: Cross-Site Scripting and Remote Code Execution Vulnerability in TYPO3 Core
Package: typo3-src Severity: critical Tags: security It has been discovered that TYPO3 Core is vulnerable to Cross-Site Scripting and Remote Code Execution Component Type: TYPO3 Core Vulnerability Types: Cross-Site Scripting, Remote Code Execution Overall Severity: Critical Release Date: July 30, 2013 Vulnerable subcomponent: Third Party Libraries used for audio and video playback Vulnerability Type: Cross-Site Scripting Affected Versions: All versions from 4.5.0 up to the development branch of 6.2 Severity: Medium Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:O/RC:C Related CVEs: CVE-2011-3642, CVE-2013-1464 Problem Description: TYPO3 bundles flash files for video and audio playback. Old versions of FlowPlayer and flashmedia are susceptible to Cross-Site Scripting. No authentication is required to exploit this vulnerability. Vulnerable subcomponent: Backend File Upload / File Abstraction Layer (This module is not part of the TYPO3 version in debian!) Vulnerability Type: Remote Code Execution by arbitrary file creation Affected Versions: All versions from 6.0.0 up to the development branch of 6.2 Severity: Critical Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:C/I:C/A:C/E:F/RL:O/RC:C CVE: CVE-2013-4250 -- MfG, Christian Welzel GPG-Key: pub 4096R/5117E119 2011-09-19 Fingerprint: 3688 337C 0D3E 3725 94EC E401 8D52 CDE9 5117 E119 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#710512: typo3-dummy: fails to install, probably caused by apache 2.4 transition
Am 31.05.2013 15:53, schrieb Andreas Beckmann: This is probably caused by the apache 2.4 transition (#661958) The package is build after the wiki page about 2.4 transition. But looking into the log reveals, that although the package depends on apache2, the package apache2 gets not installed, but only the package apache2-bin. Thats why the script apache2-maintscript-helper is not found, -- MfG, Christian Welzel GPG-Key: pub 4096R/5117E119 2011-09-19 Fingerprint: 3688 337C 0D3E 3725 94EC E401 8D52 CDE9 5117 E119 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#710512: typo3-dummy: fails to install, probably caused by apache 2.4 transition
Am 01.06.2013 13:56, schrieb Andreas Beckmann: The package is build after the wiki page about 2.4 transition. But looking into the log reveals, that although the package depends on apache2, the package apache2 gets not installed, but only the package apache2-bin. Thats why the script apache2-maintscript-helper is not found, No, there is no dependency on apache2: Yes, wrong wording. The problem is on another part of the script. See Arnos message. -- MfG, Christian Welzel GPG-Key: pub 4096R/5117E119 2011-09-19 Fingerprint: 3688 337C 0D3E 3725 94EC E401 8D52 CDE9 5117 E119 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#710512: typo3-dummy: fails to install, probably caused by apache 2.4 transition
Am 01.06.2013 14:33, schrieb Arno Töll: Can you rather try if this example fixes your problem: http://paste.debian.net/7957/? COMMON_STATE=$(dpkg-query -f '${Status}' -W 'apache2.2-common' 2/dev/null | awk '{print $3}' || true) [...] elif [ $COMMON_STATE = installed ] ; then I'm not sure if that works. What happens, if the (my) package gets configured before apache2? I tried to install emacs23-common (big package) and dpkg-query returned the following: gawain@laptop:~$ dpkg-query -f '${Status}' -W 'emacs23-common' 2/dev/null gawain@laptop:~$ dpkg-query -f '${Status}' -W 'emacs23-common' 2/dev/null install reinstreq half-installed gawain@laptop:~$ dpkg-query -f '${Status}' -W 'emacs23-common' 2/dev/null install reinstreq unpacked gawain@laptop:~$ dpkg-query -f '${Status}' -W 'emacs23-common' 2/dev/null install ok unpacked gawain@laptop:~$ dpkg-query -f '${Status}' -W 'emacs23-common' 2/dev/null install ok installed gawain@laptop:~$ If i'm not using depends, its not garanteed, that apache2 is configured before my package, right? If the new package (mine) gets configured before apache2 (alphabetical order or whatever reasons) the above check would return false and the apache2.2 code would wrongly be skiped, wouldnt it? -- MfG, Christian Welzel GPG-Key: pub 4096R/5117E119 2011-09-19 Fingerprint: 3688 337C 0D3E 3725 94EC E401 8D52 CDE9 5117 E119 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#702574: TYPO3-CORE-SA-2013-001: SQL Injection and Open Redirection in TYPO3 Core
Package: typo3-src Severity: critical Tags: security It has been discovered that TYPO3 Core is susceptible to SQL Injection and Open Redirection Component Type: TYPO3 Core Affected Versions: 4.5.0 up to 4.5.23, 4.6.0 up to 4.6.16, 4.7.0 up to 4.7.8 and 6.0.0 up to 6.0.2 Vulnerability Types: SQL Injection, Open Redirection Overall Severity: High Release Date: March 6, 2013 Vulnerable subcomponent: Extbase Framework Vulnerability Type: SQL Injection Severity: Critical Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:C/I:C/A:N/E:H/RL:O/RC:C Problem Description: Failing to sanitize user input, the Extbase database abstraction layer is susceptible to SQL Injection. TYPO3 sites which have no Extbase extensions installed are not affected. Extbase extensions are affected if they use the Query Object Model and relation values are user generated input. (e.g. : $query-contains('model.categories', $userProvidedValue) ) Note: It has been reported to the TYPO3 Security Team that this problem is known and exploited in the wild. Vulnerable subcomponent: Access tracking mechanism Vulnerability Type: Open Redirection Severity: Medium Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:H/RL:O/RC:C Problem Description: Failing to validate user provided input, the access tracking mechanism allows redirects to arbitrary URLs. Important Notes: To fix this vulnerability, we had to break existing behaviour of TYPO3 sites that use the access tracking mechanism (jumpurl feature) to transform links to external sites. The link generation has been changed to include a hash that is checked before redirecting to an external URL. This means that old links that have been distributed (e.g. by a newsletter) will not work any more. If you are using the jumpurl feature you need to do the following: lookup more information on http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2013-001/ -- MfG, Christian Welzel GPG-Key: http://www.camlann.de/de/pgpkey.html Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#698631: typo3-src: diff for NMU version 4.5.19+dfsg1-4.1
Hi Gregor, I've prepared an NMU for typo3-src (versioned as 4.5.19+dfsg1-4.1) and uploaded it to DELAYED/5. Please feel free to tell me if I should delay it longer. i'm fine with that. I do not have enough time currently to fix the issue myself, so your work is welcome! Thanks a lot. -- MfG, Christian Welzel GPG-Key: pub 4096R/5117E119 2011-09-19 Fingerprint: 3688 337C 0D3E 3725 94EC E401 8D52 CDE9 5117 E119 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#591969: Bug#695158: Bug#591969: Bug#695158: wheezy-ignore tag for RC bug #591969 in typo3-src
Am 06.12.2012 12:07, schrieb Neil McGovern: So, it looks like this bug isn't going to get fixed :( I'm unsure, if flex-sdk can compile AS1 code, but it can compile AS3 code. So at least the AS3 part can be fixed, whenever flex-sdk enters debian. Hrm. This doesn't quite cover the expected lifetime of Wheezy. All newer versions up to 6.0 have shorter lifetimes. 4.5 and 6.0 have the same end of maintanance period. It's a judgement call, but given the LTS promise from upstream, I'll add a wheezy-ignore tag to this. I'd like to be clear that this will not be repeated for Jessie, but hopefully 6.0 will be in the archive then and this bug can be closed. As i wrote: 6.0 added an even bigger chunk of AS3 code which cannot be compiled without flex-sdk. -- MfG, Christian Welzel GPG-Key: pub 4096R/5117E119 2011-09-19 Fingerprint: 3688 337C 0D3E 3725 94EC E401 8D52 CDE9 5117 E119 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#591969: Bug#695158: wheezy-ignore tag for RC bug #591969 in typo3-src
Am 05.12.2012 13:07, schrieb Neil McGovern: Can someone explain: 1) Why there were no updates to the bug between December 2010 and June 2012? The bug could not be resolved, so i didnt see any reason to update it. Work was going on in the background to fix this (libjs-swfobject, libjs-swfupload and swftools are my packages to get this one resolved). Take a look into the changelog for exact dates of introduction. 2) What action is being taken to resolve the unbuildability of the AS1 SWFs? Nothing. There is simply no open source AS1 compiler. 3) What action is being taken to resolve the bugs in as3compile (with bugrefs?) Nothing. as3compile simply lacks the support for some of the language constructs used in the code. 4) How likely it is that this bug will be fixed before jessie? I dont know. TYPO3 currently ships version 6.0, when jessi comes it will be surely 6.6+. 4.5 is outdated but a LTS version with support by upstream until 04-2014. TYPO3 6.0 introduced another big chunk of AS3 code (flowplayer) which surely cannot be build in main until flex-sdk hits the archive. I skipped packaging of 4.6 and 4.7 already because of not buildable flash files. 5) Why simply not removing the package would be a better idea? Perhaps this is the better choice, as most new TYPO3 projects will use 6.0 or newer. I think many of the currently running installations are 4.6 or 4.7, and only a minority is at 4.5 currently. -- MfG, Christian Welzel GPG-Key: pub 4096R/5117E119 2011-09-19 Fingerprint: 3688 337C 0D3E 3725 94EC E401 8D52 CDE9 5117 E119 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#692775: TYPO3-CORE-SA-2012-005: Several Vulnerabilities in TYPO3 Core
Package: typo3-src Severity: critical Tags: security It has been discovered that TYPO3 Core is vulnerable to SQL Injection, Information Disclosure and Cross-Site Scripting Component Type: TYPO3 Core Affected Versions: 4.5.0 up to 4.5.20, 4.6.0 up to 4.6.13, 4.7.0 up to 4.7.5 and development releases of the 6.0 branch. Vulnerability Types: SQL Injection, Cross-Site Scripting, Information Disclosure Overall Severity: Medium Release Date: November 8, 2012 Vulnerable subcomponent: TYPO3 Backend History Module Vulnerability Type: SQL Injection, Cross-Site Scripting Severity: Medium Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:C/I:C/A:N/E:F/RL:O/RC:C Problem Description: Due to missing encoding of user input, the history module is susceptible to SQL Injection and Cross-Site Scripting. A valid backend login is required to exploit this vulnerability. Vulnerability Type: Information Disclosure Severity: Low Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:P/I:N/A:N/E:F/RL:O/RC:C Problem Description: Due to a missing access check, regular editors could see the history view of arbitrary records, only by forging a proper URL for the History Module. A valid backend login is required to exploit this vulnerability. Vulnerable subcomponent: TYPO3 Backend API Vulnerability Type: Cross-Site Scripting Severity: Low Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:N/I:P/A:N/E:F/RL:O/RC:C Problem Description: Failing to properly HTML-encode user input the tree render API (TCA-Tree) is susceptible to Cross-Site Scripting. TYPO3 Versions below 6.0 does not make us of this API, thus is not exploitable, if no third party extension is installed which uses this API. A valid backend login is required to exploit this vulnerability. Vulnerability Type: Cross-Site Scripting Severity: Low Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:N/I:P/A:N/E:P/RL:O/RC:C Problem Description: Failing to properly encode user input, the function menu API is susceptible to Cross-Site Scripting. A valid backend login is required to exploit this vulnerability. -- MfG, Christian Welzel GPG-Key: http://www.camlann.de/de/pgpkey.html Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#691918: RFP: libas-osmf -- The Open Source Media Framework
Package: wnpp Severity: wishlist * Package name: libas-osmf Version : 2.0 Upstream Author : Adobe * URL : http://sourceforge.net/projects/osmf.adobe/ * License : MPL 1.1 Programming Lang: ActionScript Description : The Open Source Media Framework Open Source Media Framework (OSMF) is an open software framework for building robust, feature-rich video players and applications based on the Adobe® Flash® Platform. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#691919: RFP: libas-tlf -- Text Layout Framework
Package: wnpp Severity: wishlist * Package name: libas-tlf Version : 3.0 Upstream Author : Adobe * URL : http://sourceforge.net/projects/tlf.adobe/ * License : MPL 1.1 Programming Lang: ActionScript Description : Text Layout Framework The Text Layout Framework is an extensible ActionScript library, built on the new text engine in Adobe® Flash® Player 10 and Adobe AIR 1.5, which delivers advanced, easy-to-integrate typographic and text layout features for rich, sophisticated and innovative typography on the web. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#691014: marked as done (RFS: swftools/0.9.2+ds1-3 [RC])
Am 29.10.2012 21:47, schrieb David Prévot: The package was uploaded. Looks like it wasn't. It was: http://packages.qa.debian.org/s/swftools.html But its currently waiting for its 10 days quarantine to be over. -- MfG, Christian Welzel GPG-Key: pub 4096R/5117E119 2011-09-19 Fingerprint: 3688 337C 0D3E 3725 94EC E401 8D52 CDE9 5117 E119 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#691516: RFP: python-cef -- Module that emits CEF logs
Package: wnpp Severity: wishlist * Package name: python-cef Version : 0.5 Upstream Author : Mozilla Services team * URL : http://pypi.python.org/pypi/cef * License : MPL Programming Lang: Python Description : Module that emits CEF logs Most Mozilla Services applications need to generate CEF logs. A CEF Log is a formatted log that can be used by ArcSight, a central application used by the infrasec team to manage application security. The cef module provide a log_cef function that can be used to emit CEF logs. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#691518: RFP: python-wsgiproxy -- HTTP proxying tools for WSGI apps
Package: wnpp Severity: wishlist * Package name: python-wsgiproxy Version : 0.2.2 Upstream Author : Ian Bicking * URL : http://pypi.python.org/pypi/WSGIProxy/0.2.2 * License : MIT Programming Lang: Python Description : HTTP proxying tools for WSGI apps WSGIProxy gives tools to proxy arbitrary(ish) WSGI requests to other processes over HTTP. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#691524: RFP: python-metlog -- Metrics Logging
Package: wnpp Severity: wishlist * Package name: python-metlog Version : 0.9.8 Upstream Author : Rob Miller * URL : http://pypi.python.org/pypi/metlog-py/ * License : MPL Programming Lang: Python Description : Metrics Logging metlog-py is a Python client for the Metlog system of application logging and metrics gathering developed by the Mozilla Services team. The Metlog system is meant to make life easier for application developers with regard to generating and sending logging and analytics data to various destinations. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#602499: Progress?
Hi there, some time ago Apache Flex® 4.8.0 was released. Is there any progress in packaging this one for main? -- MfG, Christian Welzel GPG-Key: pub 4096R/5117E119 2011-09-19 Fingerprint: 3688 337C 0D3E 3725 94EC E401 8D52 CDE9 5117 E119 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#602499: Progress?
Am 23.10.2012 16:51, schrieb Joey Parrish: It should be much easier to build a proper package from sources for inclusion in main now that it's an Apache project, but someone else will have to take on packaging it. Can your work be found somewhere? -- MfG, Christian Welzel GPG-Key: pub 4096R/5117E119 2011-09-19 Fingerprint: 3688 337C 0D3E 3725 94EC E401 8D52 CDE9 5117 E119 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#691194: unblock: swftools/0.9.2+ds1-3
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package swftools There is a RC bug in swftools that prevents the included as3compile program from working properly on i386. This causes libjs-swfupload not do build from source on i386. 0.9.2+ds1-3 includes a patch to fix this problem. Debdiff: gawain@laptop:build-area$ debdiff swftools_0.9.2+ds1-2.dsc swftools_0.9.2+ds1-3.dsc diff -Nru swftools-0.9.2+ds1/debian/changelog swftools-0.9.2+ds1/debian/changelog --- swftools-0.9.2+ds1/debian/changelog 2012-04-21 20:18:34.0 +0200 +++ swftools-0.9.2+ds1/debian/changelog 2012-10-22 11:28:11.0 +0200 @@ -1,3 +1,9 @@ +swftools (0.9.2+ds1-3) unstable; urgency=low + + * Added fix for segfault on i386. (Closes: 690237) + + -- Christian Welzel gaw...@camlann.de Mon, 22 Oct 2012 12:42:54 +0100 + swftools (0.9.2+ds1-2) unstable; urgency=low * Removed numbering from patch names and sorted alphabetically. diff -Nru swftools-0.9.2+ds1/debian/patches/fix-segfault-690237.patch swftools-0.9.2+ds1/debian/patches/fix-segfault-690237.patch --- swftools-0.9.2+ds1/debian/patches/fix-segfault-690237.patch 1970-01-01 01:00:00.0 +0100 +++ swftools-0.9.2+ds1/debian/patches/fix-segfault-690237.patch 2012-10-22 11:28:11.0 +0200 @@ -0,0 +1,24 @@ +Description: Fixes segfault on i386 (Closes 690237) +Author: Matthias Kramm kr...@quiss.org +Last-Update: 2012-10-18 + +diff --git a/lib/as3/registry.c b/lib/as3/registry.c +index 5aaef97..1bec405 100644 +--- a/lib/as3/registry.c b/lib/as3/registry.c +@@ -538,13 +538,13 @@ classinfo_t* registry_getMovieClip() { + + // --- builtin dummy types - + classinfo_t nullclass = { +-INFOTYPE_CLASS,0,0,ACCESS_PACKAGE, , null, 0, 0, 0 ++INFOTYPE_CLASS,0,0,ACCESS_PACKAGE, , null, 0,0,0,0,0,0,0,0,0,0,0,0,0, + }; + classinfo_t* registry_getnullclass() { + return nullclass; + } + classinfo_t voidclass = { +-INFOTYPE_CLASS,0,0,ACCESS_PACKAGE, , void, 0, 0, 0 ++INFOTYPE_CLASS,0,0,ACCESS_PACKAGE, , void, 0,0,0,0,0,0,0,0,0,0,0,0,0, + }; + classinfo_t* registry_getvoidclass() { + return voidclass; diff -Nru swftools-0.9.2+ds1/debian/patches/series swftools-0.9.2+ds1/debian/patches/series --- swftools-0.9.2+ds1/debian/patches/series2012-04-21 20:18:34.0 +0200 +++ swftools-0.9.2+ds1/debian/patches/series2012-10-22 11:28:11.0 +0200 @@ -6,3 +6,4 @@ makefile.patch spelling.patch remove-fontconfig.patch +fix-segfault-690237.patch unblock swftools/0.9.2+ds1-3 -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (990, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#691014: RFS: swftools/0.9.2+ds1-3 [RC]
Package: sponsorship-requests Severity: important Dear mentors, I am looking for a sponsor for my package swftools * Package name: swftools Version : 0.9.2+ds1-3 It builds those binary packages: swftools - Collection of utilities for SWF file manipulation/creation swftools-dbg - Collection of utilities for SWF file manipulation/creation (debug To access further information about this package, please visit the following URL: http://mentors.debian.net/package/swftools Alternatively, one can download the package with dget using this command: dget -x http://mentors.debian.net/debian/pool/main/s/swftools/swftools_0.9.2+ds1-3.dsc Changes since the last upload: * Added debug package. * Added fix for segfault on i386. (Closes: 690237) * Build with default debian hardening flags. This new version fixes an RC bug, which prevents the package libjs-swfupload from build on i386. -- MfG, Christian Welzel GPG-Key: 4096R/5117E119 2011-09-19 Fingerprint: 3688 337C 0D3E 3725 94EC E401 8D52 CDE9 5117 E119 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#690236: libjs-swfupload ftbfs in testing/unstable on i386
tags 690236 pending tags 690237 pending Segmentation fault (core dumped) make: *** [build] Error 139 A fixed version of swftools was uploaded to mentors.d.n. -- MfG, Christian Welzel GPG-Key: pub 4096R/5117E119 2011-09-19 Fingerprint: 3688 337C 0D3E 3725 94EC E401 8D52 CDE9 5117 E119 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#690146: unblock: typo3-src/4.5.19+dfsg1-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package typo3-src The package in testing has an important bug, that prevents the administrator of a newly installed TYPO3 installation to login into the backend of the CMS. This only affects new installations and is caused by wrong file permissions of the main config file (localconf.php) (not readable by the www-data user) and some missing TYPO3 extensions. The new version fixes this. debdiff: gawain@laptop:build-area$ debdiff typo3-src_4.5.19+dfsg1-1.dsc typo3-src_4.5.19+dfsg1-2.dsc diff -Nru typo3-src-4.5.19+dfsg1/debian/changelog typo3-src-4.5.19+dfsg1/debian/changelog --- typo3-src-4.5.19+dfsg1/debian/changelog 2012-08-18 07:23:37.0 +0200 +++ typo3-src-4.5.19+dfsg1/debian/changelog 2012-10-10 15:22:46.0 +0200 @@ -1,3 +1,11 @@ +typo3-src (4.5.19+dfsg1-2) unstable; urgency=low + + * Added rsaauth and saltedpasswords to the list of installed extensions and +change owner and permissions of generated localconf.php in postinst. +(Closes: 689329) + + -- Christian Welzel gaw...@camlann.de Wed, 10 Oct 2012 15:09:57 +0200 + typo3-src (4.5.19+dfsg1-1) unstable; urgency=high * New upstream release: diff -Nru typo3-src-4.5.19+dfsg1/debian/patches/dummy-defaults.patch typo3-src-4.5.19+dfsg1/debian/patches/dummy-defaults.patch --- typo3-src-4.5.19+dfsg1/debian/patches/dummy-defaults.patch 2012-08-18 07:23:37.0 +0200 +++ typo3-src-4.5.19+dfsg1/debian/patches/dummy-defaults.patch 2012-10-10 15:22:46.0 +0200 @@ -9,7 +9,7 @@ $TYPO3_CONF_VARS['BE']['installToolPassword'] = 'bacb98acf97e0b6112b1d1b650b84971'; -$TYPO3_CONF_VARS['EXT']['extList'] = 'info,perm,func,filelist,about,version,tsconfig_help,context_help,extra_page_cm_options,impexp,sys_note,tstemplate,tstemplate_ceditor,tstemplate_info,tstemplate_objbrowser,tstemplate_analyzer,func_wizards,wizard_crpages,wizard_sortpages,lowlevel,install,belog,beuser,aboutmodules,setup,taskcenter,info_pagetsconfig,viewpage,rtehtmlarea,css_styled_content,t3skin,t3editor,reports,felogin'; -+$TYPO3_CONF_VARS['EXT']['extList'] = 'cms,lang,sv,em,fal,list,tsconfig_help,context_help,extra_page_cm_options,impexp,sys_note,tstemplate,tstemplate_ceditor,tstemplate_info,tstemplate_objbrowser,tstemplate_analyzer,func_wizards,wizard_crpages,wizard_sortpages,lowlevel,install,belog,beuser,aboutmodules,setup,taskcenter,info_pagetsconfig,viewpage,rtehtmlarea,css_styled_content,t3skin,t3editor,reports,info,perm,func,filelist,about,cshmanual,opendocs,recycler,scheduler,linkvalidator,pagetree'; ++$TYPO3_CONF_VARS['EXT']['extList'] = 'cms,lang,sv,em,fal,list,tsconfig_help,context_help,extra_page_cm_options,impexp,sys_note,tstemplate,tstemplate_ceditor,tstemplate_info,tstemplate_objbrowser,tstemplate_analyzer,func_wizards,wizard_crpages,wizard_sortpages,lowlevel,install,belog,beuser,aboutmodules,setup,taskcenter,info_pagetsconfig,viewpage,rtehtmlarea,css_styled_content,t3skin,t3editor,reports,info,perm,func,filelist,about,cshmanual,opendocs,recycler,scheduler,linkvalidator,pagetree,rsaauth,saltedpasswords'; $typo_db_extTableDef_script = 'extTables.php'; diff -Nru typo3-src-4.5.19+dfsg1/debian/typo3-dummy.postinst typo3-src-4.5.19+dfsg1/debian/typo3-dummy.postinst --- typo3-src-4.5.19+dfsg1/debian/typo3-dummy.postinst 2012-08-18 07:23:37.0 +0200 +++ typo3-src-4.5.19+dfsg1/debian/typo3-dummy.postinst 2012-10-10 15:22:46.0 +0200 @@ -27,6 +27,8 @@ # genarate a random encryption key and set in into localconf.php KEY=$(tr -cd '[:alnum:]' /dev/urandom | fold -w 96 | head -n 1) sed -i 's/###ENCKEY###/'$KEY'/g' /etc/typo3-dummy/localconf.php +chown www-data:www-data /etc/typo3-dummy/localconf.php +chmod 0600 /etc/typo3-dummy/localconf.php fi # do database handling gawain@laptop:build-area$ unblock typo3-src/4.5.19+dfsg1-2 -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (990, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#689023: RFP: libjs-jquery-tools -- The Missing UI library for the Web
Package: wnpp Severity: wishlist * Package name: libjs-jquery-tools Version : 1.2.7 Upstream Author : The flowplayer guys * URL : http://jquerytools.org/ * License : do whatever you want Programming Lang: Javascript, CSS Description : jQuery Tools is a collection of the most important user-interface components for modern websites. Used by large sites all over the world. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#685492: unblock: typo3-src/4.5.19+dfsg1-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package typo3-src Hello there, some days ago there was an announcment by TYPO3 upstream, that there are some security issues in the current version. I filed a bug report (685011) against typo3 and prepared a fixed version. I uploaded that fixed version to unstable and request an freeze exception for it hereby. This request was also send by email the mailinglist, because i was not aware you want those reports as bug. unblock typo3-src/4.5.19+dfsg1-1 -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (990, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#685011: TYPO3-CORE-SA-2012-004: Several Vulnerabilities in TYPO3 Core
Package: typo3-src Severity: critical Tags: security It has been discovered that TYPO3 Core is vulnerable to Cross-Site Scripting, Information Disclosure, Insecure Unserialize leading to Arbitrary Code Execution Component Type: TYPO3 Core Affected Versions: 4.5.0 up to 4.5.18, 4.6.0 up to 4.6.11, 4.7.0 up to 4.7.3 and development releases of the 6.0 branch. Vulnerability Types: Cross-Site Scripting, Information Disclosure, Insecure Unserialize Overall Severity: Medium Release Date: August 15, 2012 Vulnerable subcomponent: TYPO3 Backend Help System Vulnerability Type: Insecure Unserialize leading to a possible Arbitrary Code Execution Severity: Medium Suggested CVSS v2.0: AV:N/AC:H/Au:S/C:P/I:C/A:N/E:P/RL:O/RC:C Problem Description: Due to a missing signature (HMAC) for a parameter in the view_help.php file, an attacker could unserialize arbitrary objects within TYPO3. We are aware of a working exploit, which can lead to arbitrary code execution. A valid backend user login or multiple successful cross site request forgery attacks are required to exploit this vulnerability. Vulnerable subcomponent: TYPO3 Backend Vulnerability Type: Cross-Site Scripting Severity: Medium Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:P/I:P/A:N/E:F/RL:O/RC:C Problem Description: Failing to properly HTML-encode user input in several places, the TYPO3 backend is susceptible to Cross-Site Scripting. A valid backend user is required to exploit these vulnerabilities. Vulnerability Type: Information Disclosure Severity: Low Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:P/I:N/A:N/E:F/RL:O/RC:C Problem Description: Accessing the configuration module discloses the Encryption Key. A valid backend user with access to the configuration module is required to exploit this vulnerability. Vulnerable subcomponent: TYPO3 HTML Sanitizing API Vulnerability Type: Cross-Site Scripting Severity: Medium Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:P/I:P/A:N/E:U/RL:O/RC:C Problem Description: By not removing several HTML5 JavaScript events, the API method t3lib_div::RemoveXSS() fails to filter specially crafted HTML injections, thus is susceptible to Cross-Site Scripting. Failing to properly encode for JavaScript the API method t3lib_div::quoteJSvalue(), it is susceptible to Cross-Site Scripting. Vulnerable subcomponent: TYPO3 Install Tool Vulnerability Type: Cross-Site Scripting Severity: Low Suggested CVSS v2.0: AV:N/AC:H/Au:S/C:P/I:P/A:N/E:F/RL:O/RC:C Problem Description: Failing to properly sanitize user input, the Install Tool is susceptible to Cross-Site Scripting. -- MfG, Christian Welzel GPG-Key: http://www.camlann.de/de/pgpkey.html Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#681323: libjs-swfupload: XSS via ExternalInterface.call
Package: libjs-swfupload Version: 2.2.0.1+ds1-1 Severity: grave Tags: security Justification: user security hole Dear Maintainer, libjs-swfupload contains a XSS security vulnarability that allows attackers to inject javascript code into the context of the current webpage. As a Flash applet can be loaded directly (with parameters in the URL), the Flash applet allows for reflected cross-site scripting. For sites where the applet is hosted on the same domain as the main website, this is a serious security concern. More information can be found here: http://code.google.com/p/swfupload/issues/detail?id=376 -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (990, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#591969: status
Am 04.06.2012 12:55, schrieb Holger Levsen: On Sonntag, 3. Juni 2012, Christian Welzel wrote: These files directly correlate to some of TYPO3 content elements. Removing the swf would mean to patch TYPO3 core too. so you would like to get this bugged tagged wheezy-ignore again? If thats necessary, then yes. -- MfG, Christian Welzel GPG-Key: pub 4096R/5117E119 2011-09-19 Fingerprint: 3688 337C 0D3E 3725 94EC E401 8D52 CDE9 5117 E119 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#591969: status
Am 03.06.2012 10:06, schrieb Holger Levsen: Can't they simply be removed as well, until there is a working compiler? Those files dont seem very critical to me at least... or? These files directly correlate to some of TYPO3 content elements. Removing the swf would mean to patch TYPO3 core too. -- MfG, Christian Welzel GPG-Key: pub 4096R/5117E119 2011-09-19 Fingerprint: 3688 337C 0D3E 3725 94EC E401 8D52 CDE9 5117 E119 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#591969: status
Am 01.06.2012 09:02, schrieb Holger Levsen: whats the status of this bug? ./typo3/contrib/swfupload/swfupload.swf Has been moved to its own package libjs-swfupload, its removed from this package during get-orig-source. ./typo3/contrib/extjs/resources/charts.swf it gets removed from this package during get-orig-source since 4.5.16+dfsg2. Its part if libjs-extjs, but the package in debian ist very old. We do not need this file, so its deleted. ./typo3/contrib/flashmedia/flvplayer.swf ./typo3/contrib/flashmedia/player.swf These are ActionScript 1 SWFs that cannot compiled in debian because of missing AS1 compiler. Source code is included in source package. ./typo3/contrib/flashmedia/swfobject/expressInstall.swf ./typo3/contrib/extjs/resources/expressinstall.swf Moved to own package libjs-swfobject, removed during get-orig-source. ./typo3/contrib/websvg/svg.swf This is AS3, but as3compile cannot compile it because of missing features in as3compile. Source code is included in source package. -- MfG, Christian Welzel GPG-Key: pub 4096R/5117E119 2011-09-19 Fingerprint: 3688 337C 0D3E 3725 94EC E401 8D52 CDE9 5117 E119 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#673438: RFS: libjs-swfupload/2.2.0.1-1 [ITP]
Hi Thomas, Oh, and besides this, building your package twice fails. Precisely because the swfupload.swf file binary content changes, and dpkg-source can't do its job: Ok, thanks for that hint. I always build my packages with git-buildpackage and a separate build directory. So this is never a problem for me. I made a new package which removes the swfupload.swf and moves its build to a tmp-dir, now rebuilding works flawlessly. http://mentors.debian.net/debian/pool/main/libj/libjs-swfupload/libjs-swfupload_2.2.0.1+ds1-1.dsc -- MfG, Christian Welzel GPG-Key: pub 4096R/5117E119 2011-09-19 Fingerprint: 3688 337C 0D3E 3725 94EC E401 8D52 CDE9 5117 E119 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#673438: RFS: libjs-swfupload/2.2.0.1-1 [ITP]
Package: sponsorship-requests Severity: wishlist Dear mentors, I am looking for a sponsor for my package libjs-swfupload * Package name: libjs-swfupload Version : 2.2.0.1-1 Upstream Author : Jake Roberts and others * URL : http://code.google.com/p/swfupload/ * License : MIT Section : web It builds those binary packages: * libjs-swfupload - javascript library to use Flash's upload functionality This packages uses as3compile from swftools suite to compile the Flash movie. To access further information about this package, please visit the following URL: http://mentors.debian.net/package/libjs-swfupload Alternatively, one can download the package with dget using this command: dget -x http://mentors.debian.net/debian/pool/main/libj/libjs-swfupload/libjs-swfupload_2.2.0.1-1.dsc -- MfG, Christian Welzel GPG-Key: pub 4096R/5117E119 2011-09-19 Fingerprint: 3688 337C 0D3E 3725 94EC E401 8D52 CDE9 5117 E119 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#609110: packaged
Hi there, because nothing happend here since over a year, i packaged the version 2.2.0.1 of this software. The package can be found on mentors: http://mentors.debian.net/package/libjs-swfupload Because i think its more a JS library using some flash, the package is called libjs-swfupload and not flash-swfupload. The package uses as3compile from swftools for compiling the swf from source, so some more testing of the functionality would be welcome. -- MfG, Christian Welzel GPG-Key: pub 4096R/5117E119 2011-09-19 Fingerprint: 3688 337C 0D3E 3725 94EC E401 8D52 CDE9 5117 E119 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#669158: TYPO3-CORE-SA-2012-002: Cross-Site Scripting Vulnerability in TYPO3 Core
Package: typo3-src Severity: critical Tags: security Component Type: TYPO3 Core Affected Versions: 4.4.0 up to 4.4.14, 4.5.0 up to 4.5.14, 4.6.0 up to 4.6.7 and development releases of the 4.7 branch. Vulnerable subcomponent: Exception Handler Vulnerability Type: Cross-Site Scripting Severity: Medium Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:P/I:P/A:N/E:F/RL:OF/RC:C Problem Description: Failing to properly encode the output, the default TYPO3 Exception Handler is susceptible to Cross-Site Scripting. We are not aware of a possibilty to exploit this vulnerability without third party extensions being installed that put user input in exception messages. However it has come to our attention that extensions using the extbase MVC framework can be used to exploit this vulnerability if these extensions accept objects in controller actions. In general and especially when in doubt if the above conditions are met, we highly recommend users of affected versions to update as soon as possible. Imortant Note: In case you have configured your own exception handler for TYPO3 you need to make sure that the exception messages are properly encoded within this exception handler before they are presented. -- MfG, Christian Welzel GPG-Key: http://www.camlann.de/de/pgpkey.html Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#668553: RFS: swftools/0.9.2+ds1-1 [ITP]
Package: sponsorship-requests Severity: wishlist Dear mentors, I am looking for a sponsor for my package swftools * Package name: swftools Version : 0.9.2+ds1-1 Upstream Author : Matthias Kramm kr...@quiss.org and others * URL : http://www.swftools.org/ * License : GPL Section : utils It builds those binary packages: swftools - Collection of utilities for SWF file manipulation/creation To access further information about this package, please visit the following URL: http://mentors.debian.net/package/swftools Alternatively, one can download the package with dget using this command: dget -x http://mentors.debian.net/debian/pool/main/s/swftools/swftools_0.9.2+ds1-1.dsc This package does not include pdf2swf and avi2swf. pdf2swf is not build, because it needs a patched xpdf 3.03. avi2swf is obsolet and mencoder can be used for this. Changes since the last upload: * New maintainer (Closes: 583982). * New upstream release. * Bump Standards Version to 3.9.3. * Switch to source format 3.0 (quilt), remove dpatch, rename patch files. * Raise dh compat level to 7. * debian/rules completely rewritten. * Add build-depends on autotools-dev, flex, libjpeg8-dev. * Refresh patches. * Remove 02_faq.patch (file FAQ removed from upstream source). * README.source rewritten. * Add build depends on libpoppler-dev and autoconf. * Removed conflict and replace with libming = 1:0.3.0-11.1 as all versions in debian are later than this one. * Updated watch file. -- MfG, Christian Welzel GPG-Key: pub 4096R/5117E119 2011-09-19 Fingerprint: 3688 337C 0D3E 3725 94EC E401 8D52 CDE9 5117 E119 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#666237: typo3-dummy: prompting due to modified conffiles which where not modified by the user
Am 01.04.2012 09:40, schrieb Holger Levsen: In the light of this, I wonder how sensible it is, to treat this file as a conffile at all. What's the point? Its the file which holds the main configuration of the TYPO3 installation. That file can be modified from within TYPO3 (extension manager) and from outside (vi). Overwriting this file is the second worst idea after deleting the database. -- MfG, Christian Welzel GPG-Key: pub 4096R/5117E119 2011-09-19 Fingerprint: 3688 337C 0D3E 3725 94EC E401 8D52 CDE9 5117 E119 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#666237: typo3-dummy: prompting due to modified conffiles which where not modified by the user
Am 29.03.2012 23:44, schrieb Andreas Beckmann: shows up in the first place, as there was nobody modifying this conffile at all, the package has just been installed and upgraded... localconf.php contains an encryption key that is unique to the installation and is generated while installation. The key must not be overriden by updates, as it would make the cache of pages and images invalid. That would require TYPO3 to regenerate all this cache from scratch and would kill every bigger installation. Thats why localconf.php is marked as modified. TYPO3 itself also modifies this file on its own on various situations. As soon as someone opens the website or the backend this file could have been changed by TYPO3. -- MfG, Christian Welzel GPG-Key: pub 4096R/5117E119 2011-09-19 Fingerprint: 3688 337C 0D3E 3725 94EC E401 8D52 CDE9 5117 E119 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#666074: TYPO3 Security Bulletin TYPO3-CORE-SA-2012-001: Several Vulnerabilities in TYPO3 Core
Package: typo3-src Severity: critical Tags: security Component Type: TYPO3 Core Affected Versions: 4.4.0 up to 4.4.13, 4.5.0 up to 4.5.13, 4.6.0 up to 4.6.6 and development releases of the 4.7 and 6.0 branch. Vulnerability Types: Cross-Site Scripting, Information Disclosure, Insecure Unserialize Overall Severity: Medium Release Date: March 28, 2012 Vulnerable subcomponent: Extbase Framework Affected Versions: Versions 4.4.x and 4.5.x are NOT affected by this vulnerabilty. Vulnerability Type: Insecure Unserialize Severity: Medium Suggested CVSS v2.0: AV:N/AC:H/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C Problem Description: Due to a missing signature (HMAC) for a request argument, an attacker could unserialize arbitrary objects within TYPO3. To our knowledge it is neither possible to inject code through this vulnerability, nor are there exploitable objects within the TYPO3 Core. However, there might be exploitable objects within third party extensions. Vulnerable subcomponent: TYPO3 Backend Vulnerability Type: Cross-Site Scripting Severity: Medium Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:P/I:P/A:N/E:F/RL:OF/RC:C Problem Description: Failing to properly HTML-encode user input in several places, the TYPO3 backend is susceptible to Cross-Site Scripting. A valid backend user is required to exploit these vulnerabilities. IMPORTANT NOTE: With these TYPO3 versions the description field of the filelink content element is HTML encoded by default. If you allowed editors to enter HTML code in this field, you may want to add the following line to your TypoScript template, before updating. tt_content.uploads.20.itemRendering.20.2.htmlSpecialChars = 0 Allowing HTML in this field is discouraged for editors, same as allowing the plain HTML content element. Vulnerable subcomponent: TYPO3 Command Line Interface Vulnerability Type: Information Disclosure Severity: Low Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:OF/RC:C Problem Description: Accessing a CLI Script directly with a browser may disclose the database name used for the TYPO3 installation. Vulnerable subcomponent: TYPO3 HTML Sanitizing API Vulnerability Type: Cross-Site Scripting Severity: Medium Suggested CVSS v2.0: AV:N/AC:H/Au:N/C:P/I:P/A:N/E:F/RL:OF/RC:C Problem Description: By not removing non printable characters, the API method t3lib_div::RemoveXSS() fails to filter specially crafted HTML injections, thus is susceptible to Cross-Site Scripting. -- MfG, Christian Welzel GPG-Key: http://www.camlann.de/de/pgpkey.html Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#665981: debian-maintainers: Please add Christian Welzel as Debian Maintainer
Package: debian-maintainers Severity: normal Dear Maintainer, Please add Christian Welzel gaw...@camlann.de to the Debian Maintainer keyring. Find the corresponding jetring changeset attached. Thanks a lot, -- MfG, Christian Welzel GPG-Key: pub 4096R/5117E119 2011-09-19 Fingerprint: 3688 337C 0D3E 3725 94EC E401 8D52 CDE9 5117 E119 Comment: Add Christian Welzel as a Debian Maintainer Date: Fri, 23 Mar 2012 16:11:20 +0100 Action: import Recommended-By: Holger Levsen hol...@layer-acht.org Agreement: http://lists.debian.org/debian-newmaint/2012/03/msg00041.html Advocates: http://lists.debian.org/debian-newmaint/2012/03/msg00044.html Data: -BEGIN PGP PUBLIC KEY BLOCK- Version: GnuPG v1.4.12 (GNU/Linux) mQINBE53pnEBEACqyzCJxLqkm8y5UVBFrjspzUFaOmQgniM5aQH43CMhZsNZNCsu hqDKLRsugyBNcmUGjp+Uo7yKNc+BRPybE6PlhpyA3y0BdJ9k5OHjWa85rntC4Aoe MnZundwbmUMfgXlTGEj95vrXOk0G6OezrZPoLOLFQnmHqh575Q3J5JbMSw1MJ2DR 6aIL5jqG3myIg8KdOgOFkVjsELBN7sjAKbb8GMcSEr7PAmN5cFft4hiBREXSypP5 ByJ20KWqKFAfwK6xnsl04asyq/1WbKrDuRzDkAeXV7zmgktOFzYBsBQTS6JZ3Ftp XApSubisH7j5F8CzZwxShZuNChbScjNivTRJnY5JbXuWFsVsGKKtMPfQaFq527Pf lAjMZMXaCY9m8dBzNF9juo3NmTFvouASyRaiIAzI8EuQd+ZrLgVnxhlV8dXFUk1d aO9Byg6eQ9jJBvntKTj1esl/Xw2PhSGiDvxAA2tE62q8WLnpdbJ0uq6GqnI/lIPu B3LhS2KGwx97iiSIyl9kOMsh78eOrCLpnkSb4O+TLVy2QCJcivNn3T94CMjhtARn YMgWYmgUczyEJFQ9jY/nG9yPuG6RU+DnseTfVeUQKlrr6rcwtCV/iAjFHrq1jX3j T9rQWOPbagxCFnPrt1zYxw3iaAo+IJRbM47WsITB8hw3BAOS0pdgSpE7fQARAQAB tCRDaHJpc3RpYW4gV2VsemVsIDxnYXdhaW5AY2FtbGFubi5kZT6JAjoEEwEIACQC GwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AFAk53qLMCGQEACgkQjVLN6VEX4Rla Eg//eHJ9TM4QoYVdxlDcg/KiiZBwWQy1caM6/cFOpHG0AGgVUbTTSxqDoLfcQiZE 3fE7Z+13j4F8l1KDxhkLTpUZYfF2fB3Hqvtt880BJ1HnZblqQ/czkAF9OPR/6kEd m2n1KszlrgK9pzTKPp0oCAevW1OgADW+eXzESK13XK6BWlmwTIAtoaFClxGKoARb IxmOgNK1zqGmMnsGMCsQCdqU4DSDs/FsegRg5w7qjusmqaB8a2IwKd/tPxb5b+eR bVJqlD4g0mPFfIx6a9fZhA0GfS6tQI8AeWq+JrXAb69SEHcX8h3RGBJCT5XT/EBR jZAecqtMUbu4WwCx52Q3PsVCzzktRlEwz/x89xFTdcRTKTD78jYkcS72NFeR8EkJ Yl/Q9+MIs8WskpyAt8HWYv6qbhOONVOdp/MHwDXBUFpdVAasIC6Jd9kD9Qa2l0px dem3vfS85aIoBlI99/nREdTm/AcLa5tCdYGJG6N+nPyAQ1dDChw2O4/Bj2QjCuqn v6CnNv1KXpHsrXRTI3oKmvMXnjuFl8C0iH8od56b9u6jV8YKtgJZG59MHFANgT1W +hZvEfYiq+P/p+RwCJmEfRFNVvIOK/Uacif3bbR6hCkRKf6JB2auq102TqhYdls+ aDmZzvJgPaclq7IIyy1sqAZGXQgX8YLYJeN9DsWEeSfR0dSITQQQEQgADQUCTnew bgIHAAMFAngACgkQwmhtJHChrRXwxACgi0P+cre6MLI2SiI15tOUr9rp3ykAoNJ3 yf27Od/zu52dac+7PtcQrTOWiGsEEBECACsFAk8hxkoFgwHihQAeGmh0dHA6Ly93 d3cuY2FjZXJ0Lm9yZy9jcHMucGhwAAoJENK7DQFl0P1Yfz8An2DY6dy2JfMmQcJm whwRoeVHxFoOAKCgGiu6EYhcqvkz06QUPh4NT9zbk4kCHAQQAQoABgUCTymobAAK CRCnPgBVVY+43cHEEAC4ihM3VyfJNyiE7rJsbMtVhYkHvjZE1xfJPmLmph6p+DqK //O1E1aWQrKQzYsHbs0jJgSWzMrIyHadbWa5OasKSHNSWFvtofV4n3jFcnN5hsR6 5AyM2Hng0gy/RGE25W7z4nYIlKUvLPZSY3mKb1VFGmGhtbQTdqolMVBKFs0FzGaQ VgScZSpOypKpanNrCJ2/O8CdaHaT8OM5Xt3VwD6G1jjedUhY16wUYmc+FZDWng6u DPsmCrCcEObwdf9Ra2eIq2UXvWaexZ9JCBzgbc5yrB5zlHTs+Jz9m3Z/l6JQ6ncH +UPuPl8JBL+D3yX217Brt+TkLiKnbdAHGBRvFpQOK6TpB1bYljgREUI5MrWnbPD2 Hg4rtg0FRHUg8MruTXqWnQE/BCl4OD7YBTnGnY8csCpgjbEyQ9u2x4ywf86ZmmPh IL+RxiOmIv1wnWhBrVKU8VUXy0aWr7EMqys9F2aVvb7xgLnCm4rSIUmU0StgkayU e+YPHH6dcZTpnLWuMkdvz1K07+8wDOzikZOO7gFRfkMBbrKOLD2NscUTp+zUBNY4 9aqCpBf3DIBWogyPGX4Pw9DLB3gGftp6Wstg7xKcOQj8vti40KCBLCNEjc4IQddh 64fTiCn1NsUwmnS16gnww0AntbF/AElsnPwVXV9mxJZ+0WE3CN0UZJUJqrgqBYhG BBMRAgAGBQJPNDR7AAoJEMAH3rswglNF0GsAoLo+6DZ5bB/dn/5k1d1KIEnOobjm AJ9zeijzI1pldTDpfqKL+EKUu2P2IrQrQ2hyaXN0aWFuIFdlbHplbCA8Z2F3YWlu QHdoOS50dS1kcmVzZGVuLmRlPokCNwQTAQgAIQUCTneobAIbAwULCQgHAwUVCgkI CwUWAgMBAAIeAQIXgAAKCRCNUs3pURfhGTtUD/45rDAKlCUAcP8DSugtz2EpBzsv CIDNJ0MfyuhWCuZ6A8j6egBQbgsDZ05EwV40MNN+ebtlUdIhQJBbjsP295dgfC72 YiGFDFxgk1o8Owf8lO7mhcUUb2rYxjfvJE0KQP+8AHj8SjSzur5JviCHI9SI8baI 0exZleHYejLf/Kez9pOyt+B51/8WeeyEHRM//xbVmG0oYihZtYDkxrtUh2GRcZKr Qf8VCS+Zs1IwojihkyyJa5VWcPGIA7eomGHBesK9jBiOUzh3KJuRNqI3pqH/Xsu3 fiK/JjVIwNtCmbaZFOtpftiG0Z73gVO6g836xdFg0K7ak0p4k7vL6DuiYSo0v+aU IeK2tAamV4cWaKKyN3Zjc8ovpaDvCXhq9zF/lhaP7J1+SQpkm0i6ns5zbS7tA3BL BFPAWlyv6mvmGV+HbHHMtZQzKSkfeDf6HGa1MJPxaQ7ZDr741A2RtKYctYXPzbu5 LEnPiLkuEY5zAgKQrEQQOqNEJRsA2OMkH+T5fq8j3A7Q0ObJvqfK6MbhNJWuzo0T k87IvFvnOsKWJSb7SpuPJt8HQ7BZ2OEQBSe6fLsDEKlO5fuQyckl7tISNqEmFx7Z te3IGrdNCgAaeWaVLLw4Gvf/nr/hfi7sKbUW26FFGM7a634Q5+B/URHDHbdR67Mr 3wKmMbilDgipbM+cPohNBBARCAANBQJOd7BuAgcAAwUCeAAKCRDCaG0kcKGtFUl3 AJ94TWs/KRpTu1VtOZ1G0TBHuGGgzACg9MbKpYQf+ipDbpRfJiw1xoUkh/aIawQQ EQIAKwUCTyHGSgWDAeKFAB4aaHR0cDovL3d3dy5jYWNlcnQub3JnL2Nwcy5waHAA CgkQ0rsNAWXQ/VgZoACZAR2aXAOHlTZQRHjdrsHC+WrVH7gAn2NT/s2+CGJOSUCz dP1XWRICoR7PiQIcBBABCgAGBQJPKahsAAoJEKc+AFVVj7jd0YkQAMXbq6AYEZcu q4vsSnDQrUeIxT3zBVt0yoq3vKaSBtGpo7I5uNMi2cGS7IlyIz+qos5hVOryy2Pz 7Cy/WInIcmVzsfAa9G0a0WAI1laXMkEI74xi/KQ7wR896VaVRiRVKsYqqYq8nwJf k9+9PrECb8iLWNrRT51sKykDMsyGkQyWcuNS38Rq1sxLyghCe2shcIACoySf6Kt/ wnM+TJOlEIdwE0M4sVIolKM1q1gC4elBmtPD9bNlQA0zSB+JO1LNGSb8TiTD8YcO 7jHUVnKAki0pxThYPmYd/3Ra4makY1aFVSRXw4fOcIPChQYgcDmoZTnZAYs5RwxW Bgm
Bug#467288: same problem here
Am 12.03.2012 03:03, schrieb Joey Hess: pristine-tar commit writes, to the pristine-tar branch of your repository, a file named `$origtarball.id`. This file contains the git sha1 of the branch you told it to commit, which is the data that pristine-tar checkout relies on to put the tarball back together. By filter-branching your repo, you have changed the sha1 of all the commits in the branches. By running git gc, you nuked the refs that pristine-tar relied on. It was not clear to me how pristine-tar works. Perhaps you should add a note to the manpage pointing to the dangers of using filter-tree with pristine-tar. pristine-tar could store the sha1 of the tree, rather than the sha1 of the commit. That would have avoided your problem, since your filter-branch did not change any trees. It does not avoid the problem when doing a filter-branch generally, since it can and often is used to change trees too. Would it be an option to use tags instead of commit ids? As i read git can tag any object, so you can tag the commit (or tree) after import and use that. filter-tree at least warns abount not changing tags if someone changes the commit. Of course, making this change would do nothing to existing repositories that contain tree sha1's in the id files. You're free to check out the pristine-tar branch of your repo and fix up the `$origtarball.id` to contain the new refs manually.. Also worth an addition to the man page? how to recover from filter- tree? -- MfG, Christian Welzel GPG-Key: pub 4096R/5117E119 2011-09-19 Fingerprint: 3688 337C 0D3E 3725 94EC E401 8D52 CDE9 5117 E119 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#467288: same problem here
Hi there, i ran into this problem today. I modified my repo by filter-branch to set the committer-date to the author-date, and then ran git gc. Now pristine-tar cannot export the tar.gz anymore: (master)$ pristine-tar -vd checkout typo3-src_4.5.11+dfsg1.orig.tar.gz pristine-tar: git archive --format=tar af10f93e31e2a6a809fdf24e34f6c6bf3a71606f | (cd '/tmp/pristine-tar.aLUBc5aaTJ' tar x) fatal: not a tree object tar: This does not look like a tar archive tar: Exiting with failure status due to previous errors pristine-tar: command failed: git archive --format=tar af10f93e31e2a6a809fdf24e34f6c6bf3a71606f | (cd '/tmp/pristine-tar.aLUBc5aaTJ' tar x) -- MfG, Christian Welzel GPG-Key: pub 4096R/5117E119 2011-09-19 Fingerprint: 3688 337C 0D3E 3725 94EC E401 8D52 CDE9 5117 E119 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#583982: packaging work
Hi there, lately i did some work on this package based on the ubuntu packages. The embedded copy of xpdf has been removed and pdf2swf is linked against libpoppler. But to compile pdf2swf i had to remove some code regarding font handling so generated pdf have no fonts. I need some help on this issue. current (broken) packages can be found here: http://typo3.camlann.de/swftools/ all programs exept pdf2swf should work normal. -- MfG, Christian Welzel GPG-Key: pub 4096R/5117E119 2011-09-19 Fingerprint: 3688 337C 0D3E 3725 94EC E401 8D52 CDE9 5117 E119 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#602253: Duplicate
Hi there, this is a duplicate of 609110. -- MfG, Christian Welzel -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#657058: flowplayer
Package: wnpp Severity: wishlist * Package name: flowplayer Version : 3.2.7 Upstream Author : Flowplayer Ltd * URL : http://flowplayer.org/index.html * License : GPL-3 Programming Lang: Flash/Javascript Description : The video player for the Web Flowplayer is an Open Source (GPL 3) video player for the web. Use it to embed video streams into your web pages. Built for site owners, developers, hobbyists, businesses, and serious programmers. -- MfG, Christian Welzel GPG-Key: http://www.camlann.de/de/pgpkey.html Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#657065: libjs-videojs
Package: wnpp Severity: wishlist * Package name: libjs-videojs Version : 3.0.7 Upstream Author : * URL : http://videojs.com/ * License : LGPL-3 Programming Lang: Javascript Description : JavaScript and CSS library for HTML5 video Video.js is a JavaScript and CSS library that makes it easier to work with and build on HTML5 video, today. This is also known as an HTML5 Video Player. Video.js provides a common controls skin built in HTML/CSS, fixes cross-browser inconsistencies, adds additional features like fullscreen and subtitles, manages the fallback to Flash or other playback technologies when HTML5 video isn't supported, and also provides a consistent JavaScript API for interacting with the video. -- MfG, Christian Welzel GPG-Key: http://www.camlann.de/de/pgpkey.html Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#652365: TYPO3 Security Bulletin TYPO3-CORE-SA-2011-004: Remote Code Execution in TYPO3 Core
Package: typo3-src Severity: critical Tags: security Component Type: TYPO3 Core Affected Versions: 4.5.0 up to 4.5.8, 4.6.0 and 4.6.1 Vulnerability Types: Remote Code Execution Overall Severity: Critical Vulnerable subcomponent: TYPO3 workspaces Vulnerability Type: Remote Code Execution Severity: Critical Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C Problem Description: A PHP file which is part of the workspaces system extension does not validate passed arguments. You are only vulnerable if all of the following conditions are met: 1. You are using TYPO3 version 4.5.0 up to 4.5.8, 4.6.0 or 4.6.1. 2. You have all of following PHP configuration variables set to on: register_globals (off by default, advised to be off in TYPO3 Security Guide), allow_url_include (off by default) and allow_url_fopen (on by default) If you are using the Suhosin PHP extension you are only vulnerable if you have additionally put URL schemes in the configuration variable suhosin.executor.include.whitelist. The workspaces system extension does not need to be activated for this vulnerability to exist. Possible Impact: A crafted request to a vulnerable TYPO3 installation will allow an attacker to load PHP code from an external source and to execute it on the TYPO3 installation. -- MfG, Christian Welzel GPG-Key: http://www.camlann.de/de/pgpkey.html Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#651960: php-http-request2
Package: wnpp Severity: wishlist * Package name: php-http-request2 Version : 2.0 Upstream Author : * URL : http://pear.php.net/package/HTTP_Request2/ * License : BSD Programming Lang: PHP Description : Provides an easy way to perform HTTP requests. PHP5 rewrite of HTTP_Request package (with parts of HTTP_Client). Provides cleaner API and pluggable Adapters: * Socket adapter, based on old HTTP_Request code, * Curl adapter, wraps around PHP's cURL extension, * Mock adapter, to use for testing packages dependent on HTTP_Request2. Supports POST requests with data and file uploads, basic and digest authentication, cookies, managing cookies across requests, proxies, gzip and deflate encodings, redirects, monitoring the request progress with Observers. -- MfG, Christian Welzel GPG-Key: http://www.camlann.de/de/pgpkey.html Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#651961: php-http-request2
Package: wnpp Severity: wishlist * Package name: php-net-url2 Version : 2.0 Upstream Author : * URL : http://pear.php.net/package/Net_URL2 * License : BSD Programming Lang: PHP Description : Class for parsing and handling URL. Provides parsing of URLs into their constituent parts (scheme, host, path etc.), URL generation, and resolving of relative URLs. -- MfG, Christian Welzel GPG-Key: http://www.camlann.de/de/pgpkey.html Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#651963: libjs-extjs4
Package: wnpp Severity: wishlist * Package name: libjs-extjs4 Version : Upstream Author : * URL : http://www.sencha.com/products/extjs/ * License : GPL-3 Programming Lang: Javascript Description : JavaScript Framework for Rich Apps in Every Browser Ext JS 4 is the next major advancement in our JavaScript framework. Featuring expanded functionality, plugin-free charting, and a new MVC architecture it's the best Ext JS yet. Create incredible web apps for every browser. -- MfG, Christian Welzel GPG-Key: http://www.camlann.de/de/pgpkey.html Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#651128: Wrong symbolic link
Am 07.12.2011 08:50, schrieb Andreas Rittershofer: The problem is caused due to a wrong symbolic link to prototype.js. After correcting this symbolic link, TYPO3 runs fine. What exactly caused that wrong symlink? My tests worked well and all symlinks are correct. -- MfG, Christian Welzel GPG-Key: http://www.camlann.de/de/pgpkey.html Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#650837: RFP: svgweb
Package: wnpp Severity: wishlist * Package name: svgweb Version : Upstream Author : http://code.google.com/p/svgweb/ * URL : http://code.google.com/p/svgweb/ * License : Apache-2.0 Programming Lang: Flash + Javascript Description : Scalable Vector Graphics for Web Browsers using Flash SVG Web is a JavaScript library which provides SVG support on many browsers, including Internet Explorer, Firefox, and Safari. Using the library plus native SVG support you can instantly target ~95% of the existing installed web base. Once dropped in you get partial support for SVG 1.1, SVG Animation (SMIL), Fonts, Video and Audio, DOM and style scripting through JavaScript, and more in a small library. Your SVG content can be embedded directly into normal HTML 5 or through the OBJECT tag. If native SVG support is already present in the browser then that is used, though you can override this and have the SVG Web toolkit handle things instead. No downloads or plugins are necessary other than Flash 10 which is used for the actual rendering, so it's very easy to use and incorporate into an existing web site. -- Viele Grüße, Christian Welzel schech.net Strategie. Kommunikation. Design. http://www.schech.net Ostra-Allee 9 · 01067 Dresden Fon +49-351-8361445 Fax +49-351-8361446 schech.net GbR Jacqueline und Dominik Schech USt-ID DE 253708196 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#641682: TYPO3 Security Bulletin TYPO3-CORE-SA-2011-002: Potential SQL injection vulnerability in TYPO3 Core
Package: typo3-src Severity: critical Tags: security Version: 4.5.4+dfsg1-1 Component Type: TYPO3 Core Affected Versions: 4.5.0 - 4.5.5 Release Date: September 14, 2011 Vulnerable subcomponent: Database API Vulnerability Type: SQL Injection Severity: Medium Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:P/I:P/A:N/E:U/RL:OF/RC:C Problem Description: Failing to properly replace parameter values, the usage of prepared statements could lead to a SQL Injection vulnerability. This issue can only be exploited if two or more parameters are bound to the query and at least two come from user input. We carefully analysed the usage of prepared queries in the TYPO3 Core and found that it is not exploitable. We are also not aware of any extension in the TER that uses this feature in a exploitable way. Nevertheless all users of TYPO3 4.5.x are adviced to update their installations as soon as possible. -- MfG, Christian Welzel GPG-Key: http://www.camlann.de/de/pgpkey.html Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#641683: TYPO3 Security Bulletin TYPO3-CORE-SA-2011-003: Improper error handling could lead to cache flooding in TYPO3 Core
Package: typo3-src Severity: critical Tags: security Component Type: TYPO3 Core Affected Versions: 4.2.0-4.2.17, 4.3.0-4.3.13, 4.5.0-4.5.5 Release Date: September 14, 2011 Vulnerable subcomponent: Caching System Vulnerability Type: Improper error handling Severity: Medium Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C Problem Description: When configured to explicitly deny cache disabling through an URL parameter ($TYPO3_CONF_VARS['FE']['disableNoCacheParameter']), TYPO3 fails to disable caching when an invalid cache hash URL parameter (cHash) is provided. This allows an attacker to easily flood the caching tables of TYPO3. -- MfG, Christian Welzel GPG-Key: http://www.camlann.de/de/pgpkey.html Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#619642: Current version?
Am 31.07.2011 05:14, schrieb Thomas Goirand: I may upgrade to 3.4.0 in SID if extplorer supports it, but at some 3.4 would be enough for my needs with the typo3 package. On the mailinglist there were discussions about using 4.0, but i do not think its comming for 4.6. That is unless, Christian, you are willing to help maintaining extjs and/or extplorer, I can help here and there, but i'm busy with other projects besides debian, so i cannot do so much. -- MfG, Christian Welzel GPG-Key: http://www.camlann.de/de/pgpkey.html Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#635937: TYPO3 Security Bulletin TYPO3-CORE-SA-2011-001: Multiple vulnerabilities in TYPO3 Core
Package: typo3-src Severity: critical Tags: security Version: 4.5.3+dfsg1-1, 4.3.9+dfsg1-1 Component Type: TYPO3 Core Affected Versions: 4.3.11 and below, 4.4.8 and below, 4.5.3 and below Vulnerability Types: Cross-Site Scripting (XSS), Information Disclosure, Authentication Delay Bypass, Unserialize() vulnerability, Missing Access Control Overall Severity: High Release Date: July 27, 2011 Vulnerable subcomponent #1: Frontend Vulnerability Type: Cross-Site Scripting Severity: High Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C Problem Description: Failing to properly sanitize URL parameters the JSwindow property of the typolink function is susceptible to Cross-Site Scripting. The problem does not exist if the third party extension realurl is used and it's configuration parameter doNotRawUrlEncodeParameterNames is set to FALSE (default). Vulnerable subcomponent #2: Backend Vulnerability Type: Information Disclosure Severity: Low Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C Problem Description: For authentication attempts with wrong credentials, TYPO3 sends different HTTP-Headers depending if provided username or provided password is wrong. Vulnerability Type: Authentication Delay Bypass Severity: Low Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C Problem Description: The TYPO3 Backend login has a delay for authentication attempts with wrong credentials. By using a crafted request, an attacker is able to bypass the madantory delay in such cases. Vulnerability Type: Cross-Site Scripting Severity: Medium Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:N/I:P/A:N/E:U/RL:OF/RC:C Problem Description: Failing to properly sanitize an username the admin panel is susceptible to Cross-Site Scripting. Vulnerability Type: Cross-Site Scripting Severity: Medium Suggested CVSS v2.0: AV:N/AC:H/Au:S/C:P/I:P/A:N/E:U/RL:OF/RC:C Problem Description: Failing to properly sanitize a content element's link attribute the browse_links wizard is susceptible to Cross-Site Scripting. Exploiting requires an attacker to prepare a content element and trick its victim to open the browse_links wizard for this record. Vulnerability Type: Cross-Site Scripting Severity: Medium Suggested CVSS v2.0: AV:N/AC:H/Au:S/C:P/I:P/A:N/E:U/RL:OF/RC:C Problem Description: Failing to properly sanitize a page title the system extension recycler is susceptible to Cross-Site Scripting. Exploiting requires an attacker to prepare a page and deleted page and trick its victim to visit the recycler. Vulnerability Type: Cross-Site Scripting Severity: Medium Suggested CVSS v2.0: AV:N/AC:H/Au:S/C:P/I:P/A:N/E:U/RL:OF/RC:C Problem Description: Failing to properly sanitize a page title the tcemain flash message is susceptible to Cross-Site Scripting. Exploiting requires an attacker to prepare a page and trick its victim to copy/move the prepared page. Vulnerability Type: Information Disclosure Severity: Medium Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:P/I:N/A:N/E:U/RL:OF/RC:C Problem Description: A TYPO3 Backend user (editor) is able to see workspace changes of records in any languages - even for those he hasn't got granted access to. Vulnerability Type: Information Disclosure Severity: High Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:C/I:P/A:N/E:U/RL:OF/RC:C Problem Description: Using getText feature on headlines of content elements it is possible to retrieve arbitrary data from TYPO3 database. The vulnerability results from an insecure configuration in css_styled_content system extension. Important Note: Having an adjusted fontTag property in the provided TypoScript (e.g. lib.stdheader.10.1.fontTag) or depending on headlines passed through fontTag might result in unexpected rendering results. Headline rendering is now handled through dataWrap (e.g. lib.stdheader.10.1.dataWrap). Make sure to check your TypoScript before the update and check the wesite rendering after it! Vulnerability Type: Unserialize() vulnerability Severity: High Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:P/I:C/A:N/E:U/RL:OF/RC:C Problem Description: Special user input of BE editors is treated as serialized data and is deserialized by TYPO3. This allows BE editors to delete any arbitrary file the webserver has access to. Vulnerable subcomponent #3: Exposed API Vulnerability Type: Cross-Site Scripting Severity: Medium Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:P/I:P/A:N/E:U/RL:OF/RC:C Problem Description: The RemoveXSS function fails to sanitize an attack vector that works in Internet Explorer version 6. Vulnerability Type: Missing Access Control Severity: High Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:P/I:P/A:N/E:U/RL:OF/RC:C Problem Description: ExtDirect endpoints are not associated with TYPO3 backend modules and such TYPO3 access control is not applied on ExtDirect calls. This allows arbitrary BE users to consume any available ExtDirect endpoint service. -- MfG, Christian Welzel GPG-Key: http://www.camlann.de/de/pgpkey.html
Bug#630412: typo3-src-4.3: scheduler cronjob creates unnecessary alerts in syslog
Am 13.06.2011 21:51, schrieb Jens Scheidtmann: Unfortunately I was not able to locate the offending source line using grep and find... Which extension do you have installed and activated in the scheduler? If you do not use the scheduler, which commands do your cron run? Perhaps this is related to a job provided by an extension. -- MfG, Christian Welzel GPG-Key: http://www.camlann.de/de/pgpkey.html Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#627199: typo3-dummy: cronjob throws error messages
Am 18.05.2011 17:51, schrieb David Andel: Since the last upgrade in January(?) /etc/cron.d/typo3-dummy throws the following error messages: Please make sure, the system extension scheduler is installed in EM. The cronjob is configured to use this extension instead of the old cron mechanisms. -- MfG, Christian Welzel GPG-Key: http://www.camlann.de/de/pgpkey.html Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#619642: Current version?
Package: libjs-extjs Are there any plans to package ExtJS in its current version (3.2.x)? I would need that for the typo3-src package. -- MfG, Christian Welzel GPG-Key: http://www.camlann.de/de/pgpkey.html Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#614133: typo3-database: Text during configuration badly worded
Am 23.02.2011 22:37, schrieb Daniel Skorka: If the text can't be changed, than yes, that would help to clarify things. Did you have a look into typo3-dummy/README.Debian? There are some notes about installing the database packages. -- MfG, Christian Welzel GPG-Key: http://www.camlann.de/de/pgpkey.html Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#614133: typo3-database: Text during configuration badly worded
Am 23.02.2011 22:37, schrieb Daniel Skorka: If the text can't be changed, than yes, that would help to clarify things. What i meant to write: Did you have a look into typo3-database/README.Debian? There are some notes about installing the database packages. -- MfG, Christian Welzel GPG-Key: http://www.camlann.de/de/pgpkey.html Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#614135: typo3-dummy: Does not provide a user and password
Am 19.02.2011 23:19, schrieb Daniel Skorka: this package fails to register a user and password with the typo3 database. Yes, this is a bug in the package. This one is fixed in the 4.5 series packages which import the standard admin/password user at installation. Unfortunately i forgot this in 4.3. And i'm not sure, how to fix this in stable release. In this state, the package is completely unusable. No, its not. You can always generate admin user accounts using the install tool of typo3. But you found that already :) -- MfG, Christian Welzel GPG-Key: http://www.camlann.de/de/pgpkey.html Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#614133: typo3-database: Text during configuration badly worded
Am 19.02.2011 23:12, schrieb Daniel Skorka: Something along the lines of choose the password that Typo3 will use to connect to the database would be a better wording, in my opinion, and save some needles hassle. The whole procedure of entering passwords and creating/deleting/updating the database is handled by the package dbcommon-config. I do not have access to the wording which is shown to the user. Or at least i have no idea how to change it. Perhaps some lines of documentation in README.debian would help on this one? -- MfG, Christian Welzel GPG-Key: http://www.camlann.de/de/pgpkey.html Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#612145: RM: typo3-dummy -- ROM; merged into typo3-src
Package: ftp.debian.org Hello ftp-masters, please remove the source package typo3-dummy from unstable. It has been merged with typo3-src in unstable using new source format 3.0-quilt. The binary package typo3-dummy is now build by typo3-src. -- MfG, Christian Welzel GPG-Key: http://www.camlann.de/de/pgpkey.html Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#611387: typo3-dummy: Missing dependency on apache2.2-common
Am 28.01.2011 19:21, schrieb Ulrich P. Klein: php5 support is also not installed by default, so libapache2-mod-php5 should be the appropriate dependency. I'm not sure, what you did during install, but typo3-dummy depends on php5 which itself depends on libapache2-mod-php5 (= 5.3.3-7) | libapache2-mod-php5filter (= 5.3.3-7) | php5-cgi (= 5.3.3-7) So at least one of those packages must have been installed. -- MfG, Christian Welzel GPG-Key: http://www.camlann.de/de/pgpkey.html Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#611387: typo3-dummy: Missing dependency on apache2.2-common
Am 28.01.2011 18:36, schrieb Ulrich P. Klein: The post-install script calls a2ensite from apache2.2-common Yes it does, but only if you select apache integration mode. This way the integration is automated for apache, but a manual installation is possible if another webserver (link nginx) is used. Depending on apache2.2-common would force other users to install half an apache installation, what i do not want. Perhaps i will provide some typo3-dummy-apache2 and typo3-dummy-nginx etc packages in the future. I put it into Suggestens: until then. -- MfG, Christian Welzel GPG-Key: http://www.camlann.de/de/pgpkey.html Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#607286: TYPO3 Security Bulletin TYPO3-SA-2010-022: Multiple vulnerabilities in TYPO3 Core
Package: typo3-src Severity: critical Tags: security Component Type: TYPO3 Core Affected Versions: 4.2.15 and below, 4.3.8 and below, 4.4.4 and below Vulnerability Types: Arbitrary Code Execution, Path Traversal, Cross-Site Scripting (XSS), SQL injection, Information Disclosure Overall Severity: High Vulnerable subcomponent #1: Frontend Vulnerability Type: Cross-Site Scripting Severity: High Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:P/I:P/A:N/E:F/RL:OF/RC:C Problem Description: Failing to properly sanitize user input the click enlarge functionality is susceptible to Cross-Site Scripting. The problem only exists if the TYPO3 caching framework is turned on by configuration. Vulnerability Type: Cross-Site Scripting Severity: Low Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:P/I:N/A:N/E:F/RL:OF/RC:C) Problem Description: For a regular editor it is possible to inject arbitrary HTML or JavaScript into the FORM content object. A valid backend login is required to exploit this vulnerability. Vulnerable subcomponent #2: PHP file inclusion protection API Vulnerability Type: Arbitrary Code Execution Severity: High Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:P/I:P/A:P/E:F/RL:OF/RC:C Problem Description: Because of insufficient validation of user input it is possible to circumvent the check for executable php files in some cases. Vulnerable subcomponent #3: Install Tool Vulnerability Type: Cross-Site Scripting Severity: Medium TODO: Suggested CVSS v2.0: AV:L/AC:M/Au:S/C:P/I:P/A:N/E:F/RL:OF/RC:C Problem Description: Failing to sanitize user input, the TYPO3 Install Toolis susceptible to XSS attacks in several places. A valid Install Tool login is required to exploit these vulnerabilities. Vulnerable subcomponent #4: Backend Vulnerability Type: Remote File Disclosure Severity: Low Suggested CVSS v2.0: AV:N/AC:H/Au:S/C:P/I:N/A:N/E:F/RL:OF/RC:C Problem Description: Failing to properly validate user input, the TypoScript file inclusion functionality makes it possible to also include arbitrary php files into the TypoScript setup. A valid admin user login is required to exploit this vulnerability. Vulnerability Type: Path Traversal Severity: Medium Suggested CVSS v2.0: AV:N/AC:H/Au:S/C:P/I:P/A:P/E:F/RL:OF/RC:C Problem Description: Failing to sanitize user input, the unzip library is susceptible to Path Traversal. Vulnerability Type: SQL Injection Severity: Medium Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:C/I:N/A:N/E:F/RL:OF/RC:C Problem Description: Failing to sanitize user input, the list module fuctionality is susceptible to SQL injection. A valid backend login with the rights to access the list module is required to exploit this vulnerability. Vulnerable subcomponent #5: Database API Vulnerability Type: Information Disclosure Severity: Low Suggested CVSS v2.0: AV:N/AC:H/Au:N/C:P/I:N/A:N/E:F/RL:OF/RC:C Problem Description: If the database connection to the MySQL database is set to sql_mode NO_BACKSLASH_ESCAPES the TYPO3 Database API method escapeStrForLike() is failing to properly quote user input, making it is possible to inject wildcards into a LIKE query. This could potentially disclose a set of records that are meant to be kept in secret. -- MfG, Christian Welzel GPG-Key: http://www.camlann.de/de/pgpkey.html Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#606790: typo3-dummy: package fails to upgrade properly from lenny
Am 11.12.2010 18:50, schrieb Lucas Nussbaum: While testing the installation of all packages in squeeze, I ran into the following problem: This doesn't seem to be a problem of typo3-dummy or typo3-database but either of dbconfig-common or mysql-server. The mysql-server is not running (i don't know the cause) and that leeds to the failure that dbconfig-common cannot set up the database. Please make sure, that mysql-server is running when typo3-database is configured and try again. -- MfG, Christian Welzel GPG-Key: http://www.camlann.de/de/pgpkey.html Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#606740: typo3-src-4.5: Menu in GLUECK template rendered incorrectly
Am 11.12.2010 12:58, schrieb Ulrich P. Klein: Upgrading from 4.3.8 to 4.5, I noticed that in pages based on the GLUECK template, both menus are set in a single line. A fresh installation shows the same behavior. The HTML source shows that (compared to 4.3.8) the td tags are missing: This seems to be a bug in the upstream distribution. Could you please file a bug in the TYPO3 bugtracker: http://bugs.typo3.org -- MfG, Christian Welzel GPG-Key: http://www.camlann.de/de/pgpkey.html Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#591969: status update?
Am 07.12.2010 15:40, schrieb Holger Levsen: Hi Christian, any idea what to do about this bug? I added the source code of ./typo3/contrib/flashmedia/flvplayer.swf ./typo3/contrib/flashmedia/player.swf to the 4.5.0+dfsg1~beta2-1. flvplayer.swf is a part of TYPO3 and source is available from typo3-svn. player.swf came from pixelout player 1.2 All actionscript 3 code is not buildable within debian because debian has no as3 compiler. Perhaps flex-sdk will be available in some time (see #602499) but until then no as3-swf can be build from source. -- MfG, Christian Welzel GPG-Key: http://www.camlann.de/de/pgpkey.html Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#605249: unblock: typo3-src/4.3.8+dfsg1-1
Am 28.11.2010 16:36, schrieb Holger Levsen: so this seems like it would break each of the callers? Stupid me! The return $script; should not have been commented out. I uploaded a fixed version to mentors.d.n Christian? -- MfG, Christian Welzel GPG-Key: http://www.camlann.de/de/pgpkey.html Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#602250: typo3-src-4.3: jsmin.php is non-DFSG
Am 03.11.2010 01:25, schrieb Simon McVittie: It was written by Geoff Stearns, author of SWFObject, so if Quicktime is still relevant, he'd probably be willing to re-release this script under the same license as SWFObject (which is MIT). I wrote an email to him and this was his answer : Yes, I should have added the MIT license to it, though keep in mind it's really really old code and may not even work that well these days... Hi Geoff, i'm the debian maintainer of typo3 and now faced with a license problem with your qtobject code. typo3 includes this module but your license is not free enough for debian. i got the following bugreport: On closer inspection, typo3/contrib/flashmedia/qtobject is non-free by omission (no explicit permission to distribute modified versions), but probably intended to be free software: There are no usage restrictions on this file, feel free to distribute this code and associated files. I want to ask you if you could rerelease this code under a license, that is on this list of dsfg compatible licenses: http://wiki.debian.org/DFSGLicenses#TheBigDFSG-compatibleLicenses Thank you in advance. Sure this doesn't suffice to be a license change, does it? I asked him to change the license more offically on his website and now i'm waiting for some reply. -- MfG, Christian Welzel GPG-Key: http://www.camlann.de/de/pgpkey.html Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#588518: Where?
Hi there, i could not find the mentioned ablities. where is this spelling error? -- MfG, Christian Welzel GPG-Key: http://www.camlann.de/de/pgpkey.html Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#599334: TYPO3 Security Bulletin TYPO3-SA-2010-020: Multiple vulnerabilities in TYPO3 Core
Package: typo3-src Severity: critical Tags: security Affected Versions: 4.2.14 and below, 4.3.6 and below, 4.4.3 and below Vulnerability Types: Remote File Disclosure, Cross-Site Scripting (XSS), Privilege Escalation, Denial of Service Vulnerable subcomponent #1: Access tracking mechanism Vulnerability Type: Remote File Disclosure Severity: Critical Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:C/I:N/A:N/E:F/RL:OF/RC:C Problem Description: A Remote File Disclosure vulnerability in the jumpUrl mechanism, used to track access on web pages and provided files, allows a remote attacker to read arbitrary files on a host. Because of a non-typesafe comparison between the submitted and the calculated hash, it is possible to spoof a hash value to bypass the access control. There's no authentication required to exploit this vulnerability. The vulnerability allows to read any file, the web server user account has access to. Vulnerable subcomponent #2: Backend Vulnerability Type: Cross-Site Scripting Severity: Medium Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:P/I:P/A:N/E:F/RL:OF/RC:C Problem Description: Failing to sanitize user input, the TYPO3 backend is susceptible to XSS attacks in several places. A valid backend login is required to exploit these vulnerabilities. Vulnerability Type: Remote File Disclosure Severity: Low Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:C/I:P/A:N/E:F/RL:OF/RC:C Problem Description: Failing to properly validate user input, the Extension Manager is susceptible to Remote File Disclosure. By forging a special request parameter it is possible to view (and edit under special conditions) the contents of every file the webserver has access to. A valid admin user login is required to exploit this vulnerability. Vulnerability Type: Privilege Escalation Severity: Medium Suggested CVSS v2.0: AV:N/AC:H/Au:S/C:P/I:P/A:N/E:F/RL:OF/RC:C Problem Description: Failing to properly validate user input, the sys_action task be_user_creation is susceptible to Privilege Escalation. By forging a POST request an editor with the rights to create users in the taskcenter, can create users which are a member of arbitrary usergroups and by that probably leverage her privileges. Vulnerable subcomponent #3: Validation/ Filtering API Vulnerability Type: Denial of Service Severity: Medium Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C Problem Description: Because of a PHP crash in the filter_var() function when passing large strings to it, TYPO3 is susceptible to a Denial of Service attack in every place the API function t3lib_div::validEmail() is used. Vulnerability Type: Cross-Site Scripting Severity: Low Suggested CVSS v2.0: AV:N/AC:H/Au:N/C:P/I:P/A:N/E:F/RL:OF/RC:C Problem Description: The normalisation feature of the RemoveXSS function was incomplete, allowing an attacker to inject arbitrary JavaScript code. -- MfG, Christian Welzel GPG-Key: http://www.camlann.de/de/pgpkey.html Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#595099: typo3-src: typo3 backend stops working due to backported security patches
Am 01.09.2010 01:56, schrieb Fabian Ruff: the patch 06-SecBull-TYPO3-SA-2010-012.dpatch introduces the usage of a non existing function: t3lib_div::sanitizeLocalUrl A fixed pakage awaits upload on mentors. Until uploaded you can find it here: http://typo3.camlann.de/ -- MfG, Christian Welzel GPG-Key: http://www.camlann.de/de/pgpkey.html Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#591969: typo3-src: does not build .swf files from source
Am 12.08.2010 00:14, schrieb Holger Levsen: typo3-src ships multiple .swf files but they are not built from source. In fact, it appears that the source code is not shipped at all, which for one/some of them is a licence violation but in general is a policy violation. are those .swf files needed at all? Yes, they are. ./typo3/contrib/swfupload/swfupload.swf Is used in the file manager component. ./typo3/contrib/extjs/resources/charts.swf Some elements in the backend are now based on extjs (page tree and recycler afaik). ./typo3/contrib/flashmedia/flvplayer.swf ./typo3/contrib/flashmedia/player.swf These both swf are used by the multimedia frontend component (content elements of type multimedia). ./typo3/contrib/flashmedia/swfobject/expressInstall.swf ./typo3/contrib/extjs/resources/expressinstall.swf These are files provided for easy installation (every flash page in the world has them). -- MfG, Christian Welzel GPG-Key: http://www.camlann.de/de/pgpkey.html Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#590719: TYPO3 Security Bulletin TYPO3-SA-2010-012: Multiple vulnerabilities in TYPO3 Core
Authentication and Session Management Severity: Low Suggested CVSS v2.0: AV:N/AC:H/Au:N/C:C/I:C/A:N/E:POC/RL:OF/RC:C Problem Description: TYPO3 authenticates install tool users without invalidating a supplied session identifier. Therefore, TYPO3 is open for session fixation attacks, making an attacker able to hijack a victim's session. Vulnerable subcomponent #6: FLUID Templating Engine Vulnerability Type: Cross-Site Scripting Severity: Low Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:OF/RC:C Problem Description: Failing to escape the output, using the textarea view helper in an extbase extension leads to a XSS vulnerability if the extension author does not take care of escaping the output. Vulnerable subcomponent #7: Mailing API Vulnerability Type: Information Disclosure Severity: Very Low Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:OF/RC:C Problem Description: The TYPO3 HTML mailing API class t3lib_htmlmail includes the exact version number of the TYPO3 installation in the mail header. -- MfG, Christian Welzel GPG-Key: http://www.camlann.de/de/pgpkey.html Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#586285: typo3-dummy: General update after the debconf review process
Am 19.07.10 21:33, schrieb Christian PERRIER: Are there any plans to fix that bug in a near future? I'm hunting the last packages with remaining localization work that's still pending in the BTS and typo3-dummy is slowly climbing up on my radar (http://i18n.debian.net/debian-l10n/l10n-nmu/nmu_bypackage.html). I already integrated the patch into my packages but was not sure how to handle the changelog. I cannot use yours, because i cannot sign it, if i add my own above yours, the bugs will not be closed. If i label your entry as mine, your credits get lost. I'm not sure what i shall do. -- MfG, Christian Welzel GPG-Key: http://www.camlann.de/de/pgpkey.html Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#529581: typo3-src-4.2: Should depend on libnusoap-php instead of shipping it
Am 01.05.2010 12:32, schrieb Olivier Berger: On Wed, May 20, 2009 at 10:46:11AM +0200, Olivier Berger wrote: A copy of nusoap is shipped in the typo3-src-4.2 package. The typo3-src-4.2 packaging should then be updated to depend on libnusoap-php instead of shipping it. Anyone there ? I'm here, but when i looked into this some time ago, i had the impression that the files are not identical. I had no time to investigate this futher and wrote it on the todo-if-nothing- more-important-is-available-list. -- MfG, Christian Welzel GPG-Key: http://www.camlann.de/de/pgpkey.html Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#574655: typo3: Backend page is not displayed after initial installation
Am 22.04.2010 18:10, schrieb Leandro Doctors: **Problem description Lately i installed the packages myself for a new page and got the same problem. the problem is, that the database configuration is not written to the expected file in /etc/typo3-dummy/debian-db.php. Thats why typo3 thinks its not configured and redirects to the install tool. i hadn't time yet to investigate this. -- MfG, Christian Welzel GPG-Key: http://www.camlann.de/de/pgpkey.html Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#574655: typo3: Backend page is not displayed after initial installation
Am 29.03.2010 15:56, schrieb Leandro Doctors: BTW: The source code of the http://localhost/cms/typo3/index.php file is blank This is definitly strange. index.php is a symlink to the index.php in typo3-src-package. The file should not be empty. Are you sure, you installed all packages? Try reinstalling the stuff! -- MfG, Christian Welzel GPG-Key: http://www.camlann.de/de/pgpkey.html Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#574655: typo3: Backend page is not displayed after initial installation
Am 24.03.2010 22:41, schrieb Leandro Doctors: #tail /var/log/apache2/error.log [Wed Mar 24 22:24:14 2010] [error] [client ::1] PHP Fatal error: session_start(): Failed to initialize storage module: files (path: ) in /usr/share/typo3/typo3_src-4.3/typo3/index.php on line 122 Your PHP installation seems to be broken. Try googling for Failed to initialize storage module: files. There are some hits, but there are several solutions. You have to try out which one helps on your system. Otherwise try reinstalling the whole PHP/Typo3 bundle. -- MfG, Christian Welzel GPG-Key: http://www.camlann.de/de/pgpkey.html Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#574655: typo3: Backend page is not displayed after initial installation
Am 24.03.2010 19:16, schrieb Leandro Doctors: [Wed Mar 24 19:03:43 2010] [error] [client ::1] PHP Fatal error: session_start(): Failed to initialize storage module: files (path: ) Which version of php are you using? Do you use some custom version of php.ini? It seems, your settings for the session management are broken. Is the file content right? Is /usr/share/typo3/typo3_src-4.3 the right place to place the .htaccess file? the right location would be /var/lib/typo3-dummy -- MfG, Christian Welzel GPG-Key: http://www.camlann.de/de/pgpkey.html Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#574655: typo3: Backend page is not displayed after initial installation
Am 19.03.10 21:35, schrieb Leandro Doctors: A possible cause could be a consequence of using different version numbers for typo3-dummy and the rest of the typo3-related packages, but I'm not sure about it. There must be another problem. The typo3-dummy package is unchanged since several versions and therefor on 4.3.0. Please enable debugging output in your php-installation and look for errors in the php error log. -- MfG, Christian Welzel GPG-Key: http://www.camlann.de/de/pgpkey.html Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#552020: TYPO3 Security Bulletin TYPO3-SA-2009-016: Multiple vulnerabilities in TYPO3 Core
Package: typo3-src Severity: critical Tags: security TYPO3 Security Bulletin TYPO3-SA-2009-016: Multiple vulnerabilities in TYPO3 Core Vulnerability Types: SQL injection, Cross-site scripting (XSS), Information disclosure, Frame hijacking, Remote shell command execution and Insecure Install Tool authentication/session handling. Problem Description 1: By entering malcious content into a tt_content form element, a backend user could recalculate the encryption key. This knowledge could be used to attack TYPO3 mechanisms that were protected by this key. A valid backend login is required to exploit this vulnerability. Problem Description 2: Failing to sanitize user input the TYPO3 backend is susceptible to XSS attacs in several places. A valid backend login is required to exploit these vulnerabilities. Problem Description 3: By manipulating URL parameters it is possible to include arbitrary websites in the TYPO3 backend framesets. A valid backend login is required to exploit this vulnerability. Problem Description 4: By uploading files with malicious filenames an editor could execute arbitrary shell commands on the server the TYPO3 installation is located. A valid backend login is required to exploit this vulnerability. Problem Description 5: Failing to sanitize URL parameters, TYPO3 is susceptible to SQL injection in the frontend editing feature (the traditional one, not feeditadvanced that will be shipped with TYPO3 4.3). A valid backend login and activated frontend editing is required to exploit this vulnerability. Problem Description 6: The sanitizing algorithm of the API function t3lib_div::quoteJSvalue wasn't sufficient, so that an an attacker could inject specially crafted HTML or JavaScript code. Since this function can be used in backend modules as well as in frontend extensions, this vulnerability could also be exploited without the need of having a vaild backend login. Problem Description 7: Failing to sanitize URL parameters the Frontend Login Box box is susceptible to XSS. Problem Description 8: It is possible to gain access to the Install Tool by only knowing the md5 hash of the Install Tool password. Problem Description 9: Failing to sanitize URL parameters, the Install Tool is susceptible to Cross-site scripting attacks. For more information see the Typo3 Bulletin at: https://typo3.org/teams/security/security-bulletins/typo3-sa-2009-016/ -- MfG, Christian Welzel GPG-Key: http://www.camlann.de/key.asc Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#514713: Information disclosure and XSS vulnerabilities in TYPO3
Package: typo3-src Version: 4.0.2+debian-7 Severity: critical Tags: security TYPO3 Security Bulletin TYPO3-SA-2009-002: Information Disclosure XSS in TYPO3 Core Problem Description 1: An Information Disclosure vulnerability in jumpUrl mechanism, used to track access on web pages and provided files, allows a remote attacker to read arbitrary files on a host. The expected value of a mandatory hash secret, intended to invalidate such requests, is exposed to remote users allowing them to bypass access control by providing the correct value. There's no authentication required to exploit this vulnerability. The vulnerability allows to read any file, the web server user account has access to. Problem Description 2: Failing to sanitize user input, three fields in the backend is open to Cross-Site Scripting (XSS). -- MfG, Christian Welzel GPG-Key: http://www.camlann.de/key.asc Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#514713: Information disclosure and XSS vulnerabilities in TYPO3
Hi there, TYPO3 Security Bulletin TYPO3-SA-2009-002: Information Disclosure XSS in TYPO3 Core A fixed version of typo3-src version 4.0 for etch is currently waiting to be uploaded by my sponsor Holger Levsen on mentors.d.n http://mentors.debian.net/debian/pool/main/t/typo3-src/typo3-src_4.0.2+debian-8.dsc -- MfG, Christian Welzel GPG-Key: http://www.camlann.de/key.asc Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#460678: Same problem here
hi there, i have the same problem here after updating to the current version in unstable. This seems to lead to some permission problems while opening files on mac or not finding associate programs for files. deamon.log says this: Jan 28 13:20:34 projektserver cnid_dbd[30338]: Setting uid/gid to 0/0 Jan 28 13:20:34 projektserver cnid_dbd[30338]: Startup, DB dir /daten/print_share/.AppleDB Jan 28 13:20:35 projektserver cnid_dbd[30338]: error writing message : Broken pipe Version of netatalk: 2.0.4~beta2-4 -- MfG, Christian Welzel GPG-Key: http://www.camlann.de/key.asc Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#460678: Same problem here
Am Mittwoch 28 Januar 2009 schrieb Jonas Smedegaard: Do I understand correctly that the issue is only temporary, until the cnid_dbd daemon has properly started? The problem is: i'm not sure. In my installation there is no delay while connecting to the server, is fast as usal. But the broken pipe issue remains. And the people working on the Macs report, that they cannot open some files because of permission not granted (all files on the shares have the same user and group, that are the same as the afpd is running). Btw here is a complete log of a startup: Jan 28 13:18:59 projektserver atalkd[30293]: restart (2.0.4beta2) Jan 28 13:19:00 projektserver atalkd[30293]: zip_getnetinfo for eth1 Jan 28 13:19:10 projektserver atalkd[30293]: zip_getnetinfo for eth1 Jan 28 13:19:20 projektserver atalkd[30293]: zip_getnetinfo for eth1 Jan 28 13:19:30 projektserver atalkd[30293]: config for no router Jan 28 13:19:31 projektserver atalkd[30293]: ready 0/0/0 Jan 28 13:19:43 projektserver afpd[30316]: Registering CNID module [last] Jan 28 13:19:43 projektserver afpd[30316]: Registering CNID module [cdb] Jan 28 13:19:43 projektserver afpd[30316]: Registering CNID module [dbd] Jan 28 13:19:43 projektserver afpd[30316]: Loading ConfigFile Jan 28 13:19:43 projektserver afpd[30316]: Finished parsing Config File Jan 28 13:19:49 projektserver afpd[30316]: projekte:afpser...@* started on 65280.50:128 (2.0.4beta2) Jan 28 13:19:49 projektserver afpd[30316]: ASIP started on 192.168.0.8:548(5) (2.0.4beta2) Jan 28 13:19:49 projektserver afpd[30316]: uam: loading (/usr/lib/netatalk/uams_randnum.so) Jan 28 13:19:49 projektserver afpd[30316]: uam: uam not found (status=-1) Jan 28 13:19:49 projektserver afpd[30316]: uam: loading (/usr/lib/netatalk/uams_clrtxt.so) Jan 28 13:19:49 projektserver afpd[30316]: uam: uams_clrtxt.so loaded Jan 28 13:19:49 projektserver afpd[30316]: uam: Cleartxt Passwrd available Jan 28 13:20:05 projektserver afpd[30323]: ASIP session:548(5) from 192.168.0.4:49161(8) Jan 28 13:20:05 projektserver afpd[30316]: server_child[1] 30323 done Jan 28 13:20:11 projektserver afpd[30326]: ASIP session:548(5) from 192.168.0.4:49162(8) Jan 28 13:20:11 projektserver afpd[30326]: cleartext login: username Jan 28 13:20:11 projektserver afpd[30326]: login username (uid 1001, gid 1001) AFP3.1 Jan 28 13:20:13 projektserver cnid_dbd[30327]: Setting uid/gid to 0/0 Jan 28 13:20:13 projektserver cnid_dbd[30327]: Startup, DB dir /daten/web_share/.AppleDB Jan 28 13:20:13 projektserver cnid_dbd[30327]: error writing message : Broken pipe Jan 28 13:20:14 projektserver afpd[30326]: ipc_write: command: 2, pid: 30326, msglen: 24 Jan 28 13:20:14 projektserver afpd[30316]: ipc_read: command: 2, pid: 30326, len: 24 Jan 28 13:20:14 projektserver afpd[30316]: Setting clientid (len 16) for 30326, boottime 754D8049 Jan 28 13:20:14 projektserver afpd[30316]: ipc_get_session: len: 24, idlen 16, time 754d8049 [...] -- MfG, Christian Welzel GPG-Key: http://www.camlann.de/key.asc Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#512626: typo3-dummy: typo3 cannot send emails
Package: typo3-dummy Version: 4.2.3-1 Severity: grave Justification: renders package unusable The config set by apache.conf includes the wrong value for the sendmail_path php_value. Thereby sendmail does not accepts emails send by typo3 core. -- System Information: Debian Release: 5.0 APT prefers testing APT policy: (650, 'testing'), (600, 'unstable'), (500, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.26-1-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages typo3-dummy depends on: ii debconf 1.5.24 Debian configuration management sy ii exim44.69-9 metapackage to ease Exim MTA (v4) ii exim4-daemon-lig 4.69-9 lightweight Exim MTA (v4) daemon ii graphicsmagick 1.1.11-3.2 collection of image processing too ii libapache2-mod-p 5.2.6.dfsg.1-0.1~lenny1 server-side, HTML-embedded scripti ii php5-cgi 5.2.6.dfsg.1-0.1~lenny1 server-side, HTML-embedded scripti ii php5-cli 5.2.6.dfsg.1-0.1~lenny1 command-line interpreter for the p ii php5-gd 5.2.6.dfsg.1-0.1~lenny1 GD module for php5 ii php5-mysql 5.2.6.dfsg.1-0.1~lenny1 MySQL module for php5 ii php5-xcache 1.2.2-3 Fast, stable PHP opcode cacher ii typo3-src-4.34.3.0~alpha1-1 TYPO3 - The enterprise level open Versions of packages typo3-dummy recommends: pn catdoc none (no description available) ii ghostscript 8.62.dfsg.1-3.2lenny0 The GPL Ghostscript PostScript/PDF ii php5-curl5.2.6.dfsg.1-0.1~lenny1 CURL module for php5 ii poppler-utils [x 0.8.7-1 PDF utilitites (based on libpopple pn ppthtml none (no description available) ii typo3-database 4.3.0~alpha1-1 TYPO3 - The enterprise level open pn unrtfnone (no description available) pn xlhtml none (no description available) typo3-dummy suggests no packages. -- debconf information excluded -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org