The TYPO3 security team has identified a critical security issue in the TYPO3 v4 Core.
The following branches are affected by the vulnerability:
* TYPO3 4.3
Only TYPO3 installations which use the frontend login functionality are affected by this vulnerability.
Newer TYPO3 versions (4.7.0 or higher ) are NOT affected !
A TYPO3 4.5.40 release containing a security fix will be published the day after tomorrow, Thursday 19th of February at about 10:00 am CET .
If possible, we will provide patches for not supported releases.
Since this is a very important security fix, please be prepared to update your TYPO3 installations on Thursday.
Until the advisory is out, please understand that we cannot provide any further information.
CVSS v2.0 data on the to be released bulletin:
Base AV:N/AC:L/Au:N/C:P/I:P/A:N | Temporal E:F/RL:O/RC:C
Red Hat Enterprise Linux: Updated ews 2.1 tomcat7 packages that fix one bug are now available.
Red Hat Enterprise Linux: Updated bind-dyndb-ldap packages that fix one bug are now available for Red Hat
Red Hat Enterprise Linux: Updated ovirt-hosted-engine-setup packages that fix one bug are now available.
Red Hat Enterprise Linux: Updated vdsm packages that fix several bugs and add various enhancements are now
Red Hat Enterprise Linux: Updated system-config-printer packages that fix two bugs are now available for
Release Date: February 17, 2015
Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
Affected Versions: gridelements: Versions 3.0.0, 2.1.2 and below
Vulnerability Type: Cross-Site Scripting
Severity: Medium
Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:OF/RC:C (What’s that? )
CVE: not assigned yet
Problem Description: The extension fails to properly escape user input in HTML context. Backend Editor permissions with access to any text field within any data table are required to exploit this vulnerability.
Solution: Updated versions 3.0.1 and 2.1.3 are available from the TYPO3 extension manager and at http://typo3.org/extensions/repository/download/gridelements/3.0.1/t3x/ and http://typo3.org/extensions/repository/download/gridelements/2.1.3/t3x/ . Users of the extension are advised to update the extension as soon as possible.
Credits: Credits go to Sven Jürgens who discovered and reported the issue.
General advice: Follow the recommendations that are given in the TYPO3 Security Guide . Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.
Update to 2.40.7. This contains various security fixes for which CVEs have apparently not yet been issued.
Resolved Bugs 1191591 – cups: cupsRasterReadPixels buffer overflow [fedora-all]1191588 – CVE-2014-9679 cups: cupsRasterReadPixels buffer overflow<br
Resolved Bugs 1191591 – cups: cupsRasterReadPixels buffer overflow [fedora-all]1191588 – CVE-2014-9679 cups: cupsRasterReadPixels buffer overflow<br
Posts navigation
Software and Security Information