Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <50DFB862.8040101@redhat.com>
Date: Sat, 29 Dec 2012 20:43:30 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: "security@...o3.org" <security@...o3.org>
Subject: Re: TYPO3-CORE-SA-2012-005: Several Vulnerabilities
 in TYPO3 Core

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'd like to get these CVE's assigned. can someone from Typo3 please
reply? Thanks.


On 12/10/2012 02:32 PM, Kurt Seifried wrote:
> TYPO3-CORE-SA-2012-005: Several Vulnerabilities in TYPO3 Core 
> https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2012-005/
>
>  I'm a little confused because multiple issues are listed together
> with a single CVSS2 score/etc.
> 
> Can the Typo3 security team please confirm the following:
> 
>> Component Type: TYPO3 Core Affected Versions: 4.5.0 up to
>> 4.5.20, 4.6.0 up to 4.6.13, 4.7.0 up
> to 4.7.5 and development releases of the 6.0 branch.
>> Vulnerability Types: SQL Injection, Cross-Site Scripting,
> Information Disclosure
> 
> so no CVE's needed for this, this is simply a summary of the below
> issues?
> 
>> Vulnerable subcomponent: TYPO3 Backend History Module
>> Vulnerability Type: SQL Injection, Cross-Site Scripting Solution:
>> Update to the TYPO3 version 4.5.21, 4.6.14 or 4.7.6 that
> fix the problem described!
>> Credits: Credits go to Thomas Worm who discovered and reported
>> the
> issue.
> 
> Did he discover both the SQL Injection and the Cross-Site
> Scripting issues? Can you provide a link to the specific code
> fixes?
> 
> so 2 cve's needed correct?
> 
>> Vulnerable subcomponent: TYPO3 Backend History Module
>> Vulnerability Type: Information Disclosure
> Solution: Update to the TYPO3 version 4.5.21, 4.6.14 or 4.7.6 that
> fix the problem described!
>> Credits: Credits go to Core Team Member Oliver Hader who 
>> discovered
> and fixed the issue.
> 
> so one cve needed here? Can you provide a link to the specific code
> fixes?
> 
>> Vulnerable subcomponent: TYPO3 Backend API Vulnerability Type: 
>> Cross-Site Scripting Solution: Update to the TYPO3 version
>> 4.5.21, 4.6.14 or 4.7.6 that
> fix the problem described!
>> Credits: Credits go to Johannes Feustel who discovered and 
>> reported
> the issue.
> 
> so one cve needed here? Can you provide a link to the specific code
> fixes?
> 
>> Vulnerability Type: Cross-Site Scripting Solution: Update to the 
>> TYPO3 version 4.5.21, 4.6.14 or 4.7.6 that
> fix the problem described!
>> Credits: Credits go to Richard Brain who discovered and reported 
>> the
> issue.
> 
> so one cve needed here? Can you provide a link to the specific code
> fixes?
> 
> Thanks for confirming this.
> 
> 

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQ37hiAAoJEBYNRVNeJnmTSSIP/3j+b//bo3KybxbZg6aCck70
BdWtiCxK12ytFCIc8oddg5EP1d5sFfZ0+STnpJJiO/OK0yLs1rrZ4SuAenlBv3cn
Ig3m8ZlNCAThGviaeDVV+C7xc/glOo4ze3DJZ0pXbBMJCxI4Gnpi3AVT2xbi5oBG
Hd/oC1v4iaZqKudBFGwO2g+vucXz3+EuRgwYBHee33RaDhwwAbYMR7JbBr9bVidZ
0vhn109UTn/kD6X0RgCeQWfUInoTPEVLh+tMoy10edOws5QFCQVMt3rQ7t9Yy7Sv
Iy9H4mZY4mn+kM0iBgHjQrv65KNTnhWShipuWueg0DfPwOkuXkDOOfBKhlWBKNs1
fOapfQ3x3pW9nnpPQ0tDzYWg7z4piWx0uZ8Yl+zwz8qi/uwCGcyDTRFNWDkIfbXi
ArVteT2BVbXq025ESJgHhYnCEPXHJQ2UXJuuPz2zWClTAk0kT2rmE2lUm1XM/3lY
wjFqZA1M0sxtEspoNwYWYMe9EKr4WHU1OIWp3Jo8wUtqHoJY4pvZq34gOYU+4/9d
mWdHnJmsbZ3O3v1joBh3oTxPMN70FEazLfUp/kDb6lKWV2vq70zcGugvp5HPGo3j
kPRfnuBsR4ZZC5pa86xfPsmLAkoI0HgTgfpzUt04FSyzncYOMBhRJlirnRjwcCt3
dlxv+NXn42tyOTMPhYSR
=HEQq
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.