[TYPO3-dev] [ANN] TYPO3 Security Bulletin TYPO3-20061220-1: Remote Command Execution in TYPO3
Peter Niederlag
niederlag at ikd01.de
Wed Dec 20 22:02:27 CET 2006
Hi,
Jason A. Lefkowitz schrieb:
> Ingmar Schlecht wrote:
>> Dear users of TYPO3,
>>
>> a critical problem has been discovered in the rtehtmlarea extension.
>>
>
> There's a point in the bulletin I'm not sure I understand. I was using
> rtehtmlarea 1.3.7 on my site (the version that came with TYPO3 4.x).
> When I saw the bulletin, I grabbed the .t3x for rtehtmlarea 1.4.2 and
> installed it in sysext/ over the old version.
>
> This seems like it should close the security hole for me. However, the
> bulletin says that 1.4.2 is only for people who were using more recent
> rtehtmlarea versions -- that 1.3.7 users should upgrade to 1.3.8 (which
> I could not find in the Extension Repository).
>
> Is there any reason why I should not have upgraded to 1.4.2? Are there
> hidden "gotchas" in going from 1.3.7 to 1.4.2?
The version mess was just very troublesome!
We didn't test if 1.4.2 works when it is installed in sysext/. This
should work but we just didn't test it. Neither did we put the 1.3.8
version into ter, because this one is adjusted as sysext/, not for
typo3conf/ext/.
Again: in theory (and practice) the type of installation should not
matter but since we didn't try all combinations we did it this way.
So from what I can tell there are no hidden gotchas. .->
Greets,
Peter
--
Peter Niederlag
http://www.niekom.de * TYPO3 & EDV Dienstleistungen *
http://www.typo3partner.net * professional services network *
More information about the TYPO3-dev
mailing list