[Typo3] t3-SECURITY???

[Robert Lemke]

Hi Daniel Anonymous,

daniel wrote:

> all i wanna know is:
> has anyone tested these bugs so far?

yes, these bugs work perfectly! ;-)

> even though it's not typo3 itself that's insecure, it is software needed
> by typo3 which one usually does not alreaddy have installed on one's
> server.

We discussed that recently in the typo3.dev list. People complained that
Karsten Dambekalns (BTW, he is the leader of the TYPO3 security team)
posted a warning about some issue with ImageMagick. They argued that this
has nothing to do with TYPO3 itself so it mustn't be in our lists.

I also objected that if we warn people about issues in 3rd party software,
they will get used to it and what if we miss an important warning? The
solution will likely be that we offer some news feeds from 3rd party
security bulletins on a certain page on typo3.org (the upcoming t3secteam
page)

> a typo3-security list would be great (wouldn`t it?)

yes. That's why it already exists ;-) But for obvious reasons it is a
non-public list.

I have to admit that there is no information yet about whom to contact about
security issues. But that's because we're currently working on the
structure of typo3.org and the page which will hold that information simply
doesn't exist yet.

-- 
robert