[TYPO3-caretaker] Notification regarding insecure extension versions

[Marcus Krause]

Dear users of caretaker monitoring,


in the past we, the TYPO3 Security Team, were unable to mark all  
vulnerable extension versions insecure. A bug in the TER infrastructure  
[1] caused this. In the last days a typo3.org code sprint took place [2]  
which fixed this bug. Thank you guys.

When you have been affected:
Given an extension "extkey" with published versions 0.1.0, 0.1.1, 0.2.0,  
0.2.1, 0.3.0 and 0.3.1. When versions 0.3.0 and below have reported  
security vulnerabilities we might have been only able to mark 0.3.0 and  
0.2.1 insecure.
You, having deployed e.g. 0.2.0, would not have been notified by the  
caretaker and were only aware of when you actively checked your  
deployments on basis of the published advisory.

Only following TER extensions are affected which have insufficiently  
marked extension versions insecure:
* ameos_formidable
* attacalendar
* ch_lightem
* cms_poll
* cooluri
* dcdgooglemap
* div2007
* fed
* fe_mail
* gw_todo_fe
* h_book
* js_css_optimizer
* kh_photoweb
* kk_csv2table
* lonewsseo
* mn_mysql2json
* myquizpoll
* onetimeaccount
* onet_randomcontent
* pd_churchsearch
* phpunit
* powermail
* push2rss_3ds
* seminars
* sm_pageimprovements
* sr_static_info
* static_info_tables
* sys_messages
* t3jquery
* ve_guestbook


As the bug is now fixed, we are now marking all affected versions of above  
mentioned extensions insecure. Depending on whether you are using the  
mentioned extensions and in which version, your caretaker will notify you  
about the changes.


Thank you for your understanding,
Marcus Krause on behalf of the TYPO3 Security Team.



[1] http://forge.typo3.org/issues/39640
[2]  
http://typo3.org/news/article/what-did-the-guys-do-at-the-last-typo3org-code-sprint/

-- 
Marcus Krause
TYPO3 Security Team

TYPO3 .... inspiring people to share!
Get involved: typo3.org