[TYPO3-dev] [Fwd: [TYPO3-announce] Announcing TYPO3 4.0.12, 4.1.10 and 4.2.6]
Lars Houmark
lars at typo3.org
Tue Feb 10 19:52:08 CET 2009
On 2009-02-10 10:53:07 -0500, Patrick Rodacker
<patrick.rodacker at the-reflection.de> said:
> I did the update and noticed that once the juHash is exposed, you have
> to update your encryption key in your localconf (install tool) as well
> to close the leak. This is stated on the security bulletins page, but I
> overlooked at first glance, so IMO this should not go under "Other
> recoommendations" but should be placed on top of the "Solutions"
> section.
This is only neded if your installation have been hacked by this
exploit already, meaning your install tool password and such have been
exposed.
The hash is unique for each "url" it is being used with, so
re-generating the encryptionKey is not needed unless your system have
been hacked.
On the other hand it never hurts to do it, and takes little time, when
done properly, and will indeed secure you to the most possible way.
--
Lars Houmark
Member of the TYPO3 Security Team
More information about the TYPO3-dev
mailing list