Date: Tue, 19 Jul 2016 12:55:43 +0000 (UTC) From: Torsten Zuehlsdorff <tz@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r418774 - head/security/vuxml Message-ID: <201607191255.u6JCthFK080410@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: tz Date: Tue Jul 19 12:55:43 2016 New Revision: 418774 URL: https://svnweb.freebsd.org/changeset/ports/418774 Log: www/typo3 and www/typo3-lts: Document missing access check in Extbase PR: 210870, 210871 Security: CVE-2016-5091 Security: https://vuxml.freebsd.org/freebsd/3caf4e6c-4cef-11e6-a15f-00248c0c745d.html Approved by: junovitch (mentor) Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Tue Jul 19 12:30:09 2016 (r418773) +++ head/security/vuxml/vuln.xml Tue Jul 19 12:55:43 2016 (r418774) @@ -58,6 +58,44 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="3caf4e6c-4cef-11e6-a15f-00248c0c745d"> + <topic>typo3 -- Missing access check in Extbase</topic> + <affects> + <package> + <name>typo3</name> + <range><lt>7.6.8</lt></range> + </package> + <package> + <name>typo3-lts</name> + <range><lt>6.2.24</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>TYPO3 reports:</p> + <blockquote cite="https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-013/">; + <p>Extbase request handling fails to implement a proper access check for + requested controller/ action combinations, which makes it possible for an + attacker to execute arbitrary Extbase actions by crafting a special request. To + successfully exploit this vulnerability, an attacker must have access to at + least one Extbase plugin or module action in a TYPO3 installation. The missing + access check inevitably leads to information disclosure or remote code + execution, depending on the action that an attacker is able to execute.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2016-5091</cvename> + <url>https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-013/</url>; + <url>https://wiki.typo3.org/TYPO3_CMS_7.6.8</url>; + <url>https://wiki.typo3.org/TYPO3_CMS_6.2.24</url>; + </references> + <dates> + <discovery>2016-05-24</discovery> + <entry>2016-07-18</entry> + </dates> + </vuln> + <vuln vid="cf0b5668-4d1b-11e6-b2ec-b499baebfeaf"> <topic>Multiple ports -- Proxy HTTP header vulnerability (httpoxy)</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201607191255.u6JCthFK080410>