[TYPO3] a thought about security announcements and automatic security alert
Marcus Krause
marcus.krause at tu-clausthal.de
Tue May 27 11:38:45 CEST 2008
Krystian Szymukowicz schrieb:
>
> Dmitry Dulepov [typo3] wrote:
>> Benjamin Mack wrote:
>>> Please contact the security team for that:
>>> http://typo3.org/teams/security/contact-us/
>
> Constrains can be:
> 1) all below and this, for example:
> =<4.0.6
>
> 2) a list of comma separated values
> 4.06,4.03,4.01
>
>
>
> So it would be something as simple as:
>
> sg_zfelib;=<1.1.512;TYPO3-20080527-2
> kj_imagelightbox2;=<1.4.2;TYPO3-20080527-1
> air_filemanager;=<0.6.0;TYPO3-20080515-2
Hi,
this is not as trivial as it might look like. Some extension authors are
using minor version numbers as kind of branches (see SVN). So a
constraint like "<=" won't work in general.
So a list of all insecure versions over all extensions is needed and
probably could be provided. But then you don't want to read such a list
as a feed that consists of hundreds of items (i.e. version numbers of
extensions).
Firstly I'd like to see this functionality integrated in EM where
installed AND loaded extensions (which are insecure) are highlighted and
a warning box (like the one for ENABLE_INSTALL_TOOL) is fired up for
such extensions.
Later on you could think about the integration of such feature in the
superadmin tool.
Marcus
More information about the TYPO3-english
mailing list