[TYPO3-core] Issue #26876 is public...
Oliver Hader
oliver.hader at typo3.org
Tue Aug 9 13:09:47 CEST 2011
Hi everybody,
initially we planned to have a release today. However there are some
initiatives and concerns on the fonttag security fix that are still
discussed. So hopefully we can have a release tomorrow on Wednesday or
at least on Thursday.
Thanks for your understanding.
Cheers,
Olly
Am 04.08.11 14:38, schrieb Oliver Hader:
> Hi Steffen,
>
> Am 04.08.11 10:03, schrieb Steffen Müller:
>> Hi,
>>
>> the bugreport itself is read protected:
>> http://forge.typo3.org/issues/26876
>>
>> But since the chageset was merged to master, git log reveals
>> "Unprivileged backend user can read arbitrarily from database"
>>
>> The changeset is also public in gerrit:
>> https://review.typo3.org/#change,4056
>>
>> Question is: Is it critical and will a new release follow?
>
> It's critical if you used those legacy setup and if (regular) backend
> users might cause damage to the system. The security patches from last
> week already showed how this could be exploited and also how it was
> fixed - so it's not critical in terms of having new security releases
> (besides that those releases won't be announced... ;-)
>
> But since there was one regression, it's planned to have new releases
> for 4.3, 4.4 and 4.5 next Tuesday Aug 9th 2011.
>
> BTW: I've create some snapshot releases yesterday that already have
> those regression fixes. These packages contain blankpackage and dummy -
> as it has been requested in another thread on packaging in this thread.
>
> If you wanna check these (unofficial) snapshot releases here's the link:
> http://sourceforge.net/projects/typo3/files/TYPO3%20Source%20and%20Dummy/
>
> Cheers,
> Olly
--
Oliver Hader
TYPO3 v4 Core Team Leader
TYPO3 .... inspiring people to share!
Get involved: http://typo3.org
More information about the TYPO3-team-core
mailing list