[Typo3] t3-SECURITY???

daniel ds at netzspiegel.de
Tue Feb 8 15:03:11 CET 2005 

Olivier Dobberkau wrote:
> daniel wrote:
> 
> 
>>LOL
>>of  course it was not me who discovered these exploits :-)
>>all i wanna know is:
>>has anyone tested these bugs so far?
>>even though it's not typo3 itself that's insecure, it is software
>>needed by typo3 which one usually does not alreaddy have installed on 
>>one's
>>server.
>>a typo3-security list would be great (wouldn`t it?)
> 
> 
> hi daniel
> 
> security bugs in external software are usually patched by the linux vendors. 
> if you use other versions of the software, so it's in your responsability to 
> keep the software patched.
> all linux vendors have dedicated lists on the security topic.
> 
> typo3 wise there is no security mailing list as such. there have been talks 
> in kitbühel this year lead by ekki gümbel and robert lemke about security 
> issues around typo3. please contact them to get the exact insight on this 
> matter.
> 
> in the past typo3 had one security issue, that was fixed within hours. 
> please search the well known security sources for typo3.
> 
> nevertheless security is a big issue in our typo3 community. please contact 
> kasper or robert if you have found security problems in typo3 code.
> 
> please do not start a security histeria discussion without any reason.
> 
> greetings.
> 
> olivier
> 
> 

these mails are not intended to start a security histeria, but i thought 
of things like the awstats extensions and alike, because i saw an 
exploit for awstats, so i wondered if it would work on the typo3-extensions.
i totally agree with you that we shouldn't start any kind of histeria 
but i don't think we should NOT EVEN talk about possible vulnerabilities 
in typo3 because if we don't do so nobody will try to find anything and 
everyone feels save without being it (perhaps).
i'm familiar with the way distributors fix vulnerabilities, so please 
don't tell me to contact them because you know that i am talking about 
things that are not installed by the OS but by typo3.
i think security is a very important topic and might become one of the 
most popular selling-reasons if we find out that all these exploits 
don't work because of good work by kasper and friends.

anyway:

I HEREBY SAY THAT AT THE MOMENT THERE IS NO KNOWN SECURITY BUG KNOWN TO 
ME AND THAT THESE MAILS ARE ONLY INTENDED TO DISCUSS A LITTLE SECURITY 
TOPICS!!!

More information about the TYPO3-english mailing list