Date: Mon, 2 Apr 2012 23:16:51 +0200 From: "Helmut Schneider" <jumper99@gmx.de> To: "Ruslan Mahmatkhanov" <cvs-src@yandex.ru>, "Jason Helfman" <jgh@FreeBSD.org> Cc: cvs-ports@freebsd.org, cvs-all@freebsd.org, ports-committers@freebsd.org Subject: Re: cvs commit: ports/www/typo345 Makefile distinfo pkg-descr Message-ID: <D649B5AEC45D47BB9A9C82E3CC7584D6@charlieroot.de> In-Reply-To: <4F755BBF.7020607@yandex.ru> References: <201203291821.q2TILLmU032333@repoman.freebsd.org> <CAMuy=%2Bgrs_W9Gvck0reDsb5arYGg3N6Az23=WxzoTGxMsQdSnw@mail.gmail.com> <4F755BBF.7020607@yandex.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Does this look reasonable?
<vuln vid="cf36b6a1-7d08-11e1-b720-000c2994762c">
<topic>Typo3 - Cross-Site Scripting, Information Disclosure, Insecure
Unserialize</topic>
<affects>
<package>
<name>typo3</name>
<range><ge>4.6</ge><le>4.6.6</le></range>
</package>
<package>
<name>typo345</name>
<range><ge>4.5</ge><le>4.5.13</le></range>
</package>
<package>
<name>typo344</name>
<range><ge>4.4</ge><le>4.4.13</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">;
<p>The typo3 security team reports:</p>
<blockquote
cite="https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2012-001/">;
<p>Due to a missing signature (HMAC) for a request argument, an
attacker could unserialize arbitrary objects within TYPO3.</p>
<p>Failing to properly HTML-encode user input in several places,
the TYPO3 backend is susceptible to Cross-Site Scripting. A valid backend
user is required to exploit these vulnerabilities.</p>
<p>Accessing a CLI Script directly with a browser may disclose the
database name used for the TYPO3 installation.</p>
<p>By not removing non printable characters, the API method
t3lib_div::RemoveXSS() fails to filter specially crafted HTML injections,
thus is susceptible to Cross-Site Scripting.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-1605</cvename>
<cvename>CVE-2012-1606</cvename>
<cvename>CVE-2012-1607</cvename>
<cvename>CVE-2012-1608</cvename>
<url>https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2012-001/</url>;
</references>
<dates>
<discovery>2012-03-28</discovery>
</dates>
</vuln>
--------------------------------------------------
From: "Ruslan Mahmatkhanov" <cvs-src@yandex.ru>
Sent: Friday, March 30, 2012 9:07 AM
To: "Jason Helfman" <jgh@FreeBSD.org>
Cc: <ports-committers@freebsd.org>; <cvs-ports@freebsd.org>;
<cvs-all@freebsd.org>; "Helmut Schneider" <jumper99@gmx.de>
Subject: Re: cvs commit: ports/www/typo345 Makefile distinfo pkg-descr
> Jason Helfman wrote on 30.03.2012 10:30:
>> On Thu, Mar 29, 2012 at 11:21 AM, Ruslan
>> Mahmatkhanov<rm@freebsd.org>wrote:
>>
>>> rm 2012-03-29 18:21:21 UTC
>>>
>>> FreeBSD ports repository
>>>
>>> Modified files:
>>> www/typo345 Makefile distinfo pkg-descr
>>> Log:
>>> - update to 4.5.14
>>>
>>> See
>>> https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2012-001/
>>>
>>> PR: 166467
>>> http://www.FreeBSD.org/cgi/query-pr.cgi?pr=166467
>>> Submitted by: Helmut Schneider<jumper99 at gmx dot de> (maintainer)
>>> Feature safe: yes
>>>
>>> Revision Changes Path
>>> 1.60 +1 -1 ports/www/typo345/Makefile
>>> 1.42 +4 -4 ports/www/typo345/distinfo
>>> 1.7 +1 -1 ports/www/typo345/pkg-descr
>>>
>>>
>>> http://www.FreeBSD.org/cgi/cvsweb.cgi/ports/www/typo345/Makefile.diff?&r1=1.59&r2=1.60&f=h
>>>
>>> http://www.FreeBSD.org/cgi/cvsweb.cgi/ports/www/typo345/distinfo.diff?&r1=1.41&r2=1.42&f=h
>>>
>>> http://www.FreeBSD.org/cgi/cvsweb.cgi/ports/www/typo345/pkg-descr.diff?&r1=1.6&r2=1.7&f=h
>>>
>>>
>> Are there any plans to document these updates in vuxml?
>>
>> -jgh
>>
>
> No, I haven't. Helmut, would you?
>
> --
> Regards,
> Ruslan
>
> Tinderboxing kills... the drives.
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?D649B5AEC45D47BB9A9C82E3CC7584D6>