[TYPO3] a thought about security announcements and automatic security alert
Krystian Szymukowicz
typo3RE.MO.VE. at RE.MO.VE.prolabium.com
Tue May 27 12:07:47 CEST 2008
Marcus Krause wrote:
> Krystian Szymukowicz schrieb:
>> sg_zfelib;=<1.1.512;TYPO3-20080527-2
>> kj_imagelightbox2;=<1.4.2;TYPO3-20080527-1
>> air_filemanager;=<0.6.0;TYPO3-20080515-2
>
> Hi,
>
> this is not as trivial as it might look like. Some extension authors are
> using minor version numbers as kind of branches (see SVN). So a
> constraint like "<=" won't work in general.
Yes you right. It is too simple.
> So a list of all insecure versions over all extensions is needed and
> probably could be provided.
I think it is too much writing to list all numbers.
What about:
a) comma separated constrains of affected.
a) comma separated constrains of exception.
ext_key affected versions exceptions bulletin
sg_zfelib;(1.1.0-1.1.512),(2.0.0-2.2.982);(2.0.1-2.0.2);TYPO3-20080527-2
> Firstly I'd like to see this functionality integrated in EM where
> installed AND loaded extensions (which are insecure) are highlighted and
> a warning box (like the one for ENABLE_INSTALL_TOOL) is fired up for
> such extensions.
And this is what I'd like to see as second :) That means not high priority.
Imagine you have 50 TYPO3 installations. You have to log into each to
check if there are security alerts! Instead of that you simply will be
emailed if there will be something bad.
--
grtz
Krystian Szymukowicz
More information about the TYPO3-english
mailing list