[TYPO3-core] Issue #26876 is public...
Oliver Hader
oliver.hader at typo3.org
Thu Aug 4 14:38:02 CEST 2011
Hi Steffen,
Am 04.08.11 10:03, schrieb Steffen Müller:
> Hi,
>
> the bugreport itself is read protected:
> http://forge.typo3.org/issues/26876
>
> But since the chageset was merged to master, git log reveals
> "Unprivileged backend user can read arbitrarily from database"
>
> The changeset is also public in gerrit:
> https://review.typo3.org/#change,4056
>
> Question is: Is it critical and will a new release follow?
It's critical if you used those legacy setup and if (regular) backend
users might cause damage to the system. The security patches from last
week already showed how this could be exploited and also how it was
fixed - so it's not critical in terms of having new security releases
(besides that those releases won't be announced... ;-)
But since there was one regression, it's planned to have new releases
for 4.3, 4.4 and 4.5 next Tuesday Aug 9th 2011.
BTW: I've create some snapshot releases yesterday that already have
those regression fixes. These packages contain blankpackage and dummy -
as it has been requested in another thread on packaging in this thread.
If you wanna check these (unofficial) snapshot releases here's the link:
http://sourceforge.net/projects/typo3/files/TYPO3%20Source%20and%20Dummy/
Cheers,
Olly
--
Oliver Hader
TYPO3 v4 Core Team Leader
TYPO3 .... inspiring people to share!
Get involved: http://typo3.org
More information about the TYPO3-team-core
mailing list