Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 2 Apr 2012 23:16:51 +0200
From:      "Helmut Schneider" <jumper99@gmx.de>
To:        "Ruslan Mahmatkhanov" <cvs-src@yandex.ru>, "Jason Helfman" <jgh@FreeBSD.org>
Cc:        cvs-ports@freebsd.org, cvs-all@freebsd.org, ports-committers@freebsd.org
Subject:   Re: cvs commit: ports/www/typo345 Makefile distinfo pkg-descr
Message-ID:  <D649B5AEC45D47BB9A9C82E3CC7584D6@charlieroot.de>
In-Reply-To: <4F755BBF.7020607@yandex.ru>
References:  <201203291821.q2TILLmU032333@repoman.freebsd.org> <CAMuy=%2Bgrs_W9Gvck0reDsb5arYGg3N6Az23=WxzoTGxMsQdSnw@mail.gmail.com> <4F755BBF.7020607@yandex.ru>

next in thread | previous in thread | raw e-mail | index | archive | help
Does this look reasonable?

  <vuln vid="cf36b6a1-7d08-11e1-b720-000c2994762c">
    <topic>Typo3 - Cross-Site Scripting, Information Disclosure, Insecure 
Unserialize</topic>
    <affects>
      <package>
        <name>typo3</name>
        <range><ge>4.6</ge><le>4.6.6</le></range>
      </package>
      <package>
        <name>typo345</name>
        <range><ge>4.5</ge><le>4.5.13</le></range>
      </package>
      <package>
        <name>typo344</name>
        <range><ge>4.4</ge><le>4.4.13</le></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">;
        <p>The typo3 security team reports:</p>
        <blockquote 
cite="https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2012-001/">;
          <p>Due to a missing signature (HMAC) for a request argument, an 
attacker could unserialize arbitrary objects within TYPO3.</p>
          <p>Failing to properly HTML-encode user input in several places, 
the TYPO3 backend is susceptible to Cross-Site Scripting. A valid backend 
user is required to exploit these vulnerabilities.</p>
          <p>Accessing a CLI Script directly with a browser may disclose the 
database name used for the TYPO3 installation.</p>
          <p>By not removing non printable characters, the API method 
t3lib_div::RemoveXSS() fails to filter specially crafted HTML injections, 
thus is susceptible to Cross-Site Scripting.</p>
        </blockquote>
      </body>
    </description>
    <references>
      <cvename>CVE-2012-1605</cvename>
      <cvename>CVE-2012-1606</cvename>
      <cvename>CVE-2012-1607</cvename>
      <cvename>CVE-2012-1608</cvename>
      <url>https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2012-001/</url>;
    </references>
    <dates>
      <discovery>2012-03-28</discovery>
    </dates>
  </vuln>


--------------------------------------------------
From: "Ruslan Mahmatkhanov" <cvs-src@yandex.ru>
Sent: Friday, March 30, 2012 9:07 AM
To: "Jason Helfman" <jgh@FreeBSD.org>
Cc: <ports-committers@freebsd.org>; <cvs-ports@freebsd.org>; 
<cvs-all@freebsd.org>; "Helmut Schneider" <jumper99@gmx.de>
Subject: Re: cvs commit: ports/www/typo345 Makefile distinfo pkg-descr

> Jason Helfman wrote on 30.03.2012 10:30:
>> On Thu, Mar 29, 2012 at 11:21 AM, Ruslan 
>> Mahmatkhanov<rm@freebsd.org>wrote:
>>
>>> rm          2012-03-29 18:21:21 UTC
>>>
>>>   FreeBSD ports repository
>>>
>>>   Modified files:
>>>     www/typo345          Makefile distinfo pkg-descr
>>>   Log:
>>>   - update to 4.5.14
>>>
>>>   See
>>> https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2012-001/
>>>
>>>   PR:             166467 
>>> http://www.FreeBSD.org/cgi/query-pr.cgi?pr=166467
>>>   Submitted by:   Helmut Schneider<jumper99 at gmx dot de>  (maintainer)
>>>   Feature safe:   yes
>>>
>>>   Revision  Changes    Path
>>>   1.60      +1 -1      ports/www/typo345/Makefile
>>>   1.42      +4 -4      ports/www/typo345/distinfo
>>>   1.7       +1 -1      ports/www/typo345/pkg-descr
>>>
>>>
>>> http://www.FreeBSD.org/cgi/cvsweb.cgi/ports/www/typo345/Makefile.diff?&r1=1.59&r2=1.60&f=h
>>>
>>> http://www.FreeBSD.org/cgi/cvsweb.cgi/ports/www/typo345/distinfo.diff?&r1=1.41&r2=1.42&f=h
>>>
>>> http://www.FreeBSD.org/cgi/cvsweb.cgi/ports/www/typo345/pkg-descr.diff?&r1=1.6&r2=1.7&f=h
>>>
>>>
>> Are there any plans to document these updates in vuxml?
>>
>> -jgh
>>
>
> No, I haven't. Helmut, would you?
>
> -- 
> Regards,
> Ruslan
>
> Tinderboxing kills... the drives.
> 



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?D649B5AEC45D47BB9A9C82E3CC7584D6>