Re: [SECURITY] [DSA 1711-1] New TYPO3 packages fix remote code execution

[nicolas . foucher]

Bonjour

Je suis absent jusqu'au 2 février 2009.
Vous pouvez contacter CARRENET à cette adresse: i...@carrenet.com
ou par téléphone: 01.56.56.56.00


I am out of the office until 2nd of february 2009.
You can contact CARRENET at i...@carrenet.com or
+33 1 56 56 56 00


-- 
Nicolas Foucher - nicolas.fouc...@carrenet.com
Responsable Technique
CARRENET - Solutions CRM 100% Web
01.56.56.56.00



-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Re: [SECURITY] [DSA 1711-1] New TYPO3 packages fix remote code execution

[Endre Kovács]

Hello Nico!
I received your message. Thank you!

Andy Smith andyhu.sm...@gmail.com

2009/1/26 Nico Golde n...@debian.org

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 - 
 Debian Security Advisory DSA-1711-1  secur...@debian.org
 http://www.debian.org/security/   Nico Golde
 January 26, 2009  http://www.debian.org/security/faq
 - 

 Package: typo3-src
 Vulnerability  : several
 Problem type   : remote
 Debian-specific: no
 CVE ID : CVE-2009-0255 CVE-2009-0256 CVE-2009-0257 CVE-2009-0258
 Debian Bug : 512608
 BugTraq ID : 33376

 Several remotely exploitable vulnerabilities have been discovered in the
 TYPO3 web content management framework.  The Common Vulnerabilities and
 Exposures project identifies the following problems:

 CVE-2009-0255
Chris John Riley discovered that the TYPO3-wide used encryption key is
generated with an insufficiently random seed resulting in low entropy
which makes it easier for attackers to crack this key.

 CVE-2009-0256
Marcus Krause discovered that TYPO3 is not invalidating a supplied
 session
on authentication which allows an attacker to take over a victims
session via a session fixation attack.

 CVE-2009-0257
Multiple cross-site scripting vulnerabilities allow remote attackers to
inject arbitrary web script or HTML via various arguments and user-
supplied strings used in the indexed search system extension, adodb
extension test scripts or the workspace module.

 CVE-2009-0258
Mads Olesen discovered a remote command injection vulnerability in
the indexed search system extension which allows attackers to
execute arbitrary code via a crafted file name which is passed
unescaped to various system tools that extract file content for
the indexing.


 Because of CVE-2009-0255, please make sure that besides installing
 this update, you also create a new encryption key after the
 installation.

 For the stable distribution (etch) these problems have been fixed in
 version 4.0.2+debian-7.

 For the unstable distribution (sid) these problems have been fixed in
 version 4.2.5-1.

 We recommend that you upgrade your TYPO3 packages.

 Upgrade instructions
 - 

 wget url
will fetch the file for you
 dpkg -i file.deb
will install the referenced file.

 If you are using the apt-get package manager, use the line for
 sources.list as given below:

 apt-get update
will update the internal database
 apt-get upgrade
will install corrected packages

 You may use an automated update by adding the resources from the
 footer to the proper configuration.


 Debian GNU/Linux 4.0 alias etch
 - ---

 Source archives:


 http://security.debian.org/pool/updates/main/t/typo3-src/typo3-src_4.0.2+debian.orig.tar.gz
Size/MD5 checksum:  7683527 be509391b0e4d24278c14100c09dc673

 http://security.debian.org/pool/updates/main/t/typo3-src/typo3-src_4.0.2+debian-7.diff.gz
Size/MD5 checksum:23596 344f6b5ada56d361e274556d6d7eaf99

 http://security.debian.org/pool/updates/main/t/typo3-src/typo3-src_4.0.2+debian-7.dsc
Size/MD5 checksum:  610 6b99cc9acd82ec6010a38006910169c9

 Architecture independent packages:


 http://security.debian.org/pool/updates/main/t/typo3-src/typo3_4.0.2+debian-7_all.deb
Size/MD5 checksum:76924 33b4077e99038121aa5667a3a166d99e

 http://security.debian.org/pool/updates/main/t/typo3-src/typo3-src-4.0_4.0.2+debian-7_all.deb
Size/MD5 checksum:  7691182 f5c8ecbf93c7af50b29b5ded8f455b75


  These files will probably be moved into the stable distribution on
  its next update.

 -
 -
 For apt-get: deb http://security.debian.org/ stable/updates main
 For dpkg-ftp: 
 ftp://security.debian.org/debian-securitydists/stable/updates/main
 Mailing list: debian-security-annou...@lists.debian.org
 Package info: `apt-cache show pkg' and http://packages.debian.org/pkg
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1.4.9 (GNU/Linux)

 iQEcBAEBAgAGBQJJfiIoAAoJEL97/wQC1SS+Zy4IAIccGZx8Hc/kHEl907UC8sJ2
 72Cs7PSQLsB4z9fRbLyYx2Hyy5Zz+4aAOeRHO3Oy+jzJyjidqvrzdrxN8zd0uhTV
 UZGwRdEqPVO1fNCxVbmpY4EvcctaYpDSEajqKAcLuypyCTPmZ215AJCOx5PeT2QH
 aGUK8ZTeaVWhi3P9hIavDoh7bi/MfoobBBNxmIykDIls2okww7C318Q9WTlaSULq
 e0xfc+4m8J8FXjZw2nlmuyreY35gc67nga/nwA/8xCI5lnoWm72T9/54pOLLOh9g
 2qee3i2UOEqMJxwpFbQJ2UlcvWcG5FeO+lE2TGXqRaPuzdOqslr3tqa0Ffb7N3Y=
 =SyTo
 -END PGP SIGNATURE-


 --
 To UNSUBSCRIBE, email to debian-security-announce-requ...@lists.debian.org
 with a subject of unsubscribe. Trouble? Contact
 listmas...@lists.debian.org




-- 
Andy Smith