[TYPO3-core] Issue #26876 is public...
Oliver Hader
oliver.hader at typo3.org
Wed Aug 10 13:51:40 CEST 2011
Hi everybody,
since there have been some changesets on review.typo3.org with the aim
to get an alternative solution on the know fontTag security fix that was
already released, I created an additional analyzer.
So, if you did not upgrade yet or "patched away" the fontTag fix since
you did not know what side-effects to expect on your servers with
thousands of TYPO3 instances, then you can use that tool to have some
basic checks. Find more information in the README.txt file there:
https://svn.typo3.org/TYPO3v4/Extensions/ollytest/trunk/analyze/
So, in case this is helpful for somebody, please give me some feedback -
here on the list or if you prefer directly by private mail as well.
Cheers,
Olly
Am 09.08.11 13:09, schrieb Oliver Hader:
> Hi everybody,
>
> initially we planned to have a release today. However there are some
> initiatives and concerns on the fonttag security fix that are still
> discussed. So hopefully we can have a release tomorrow on Wednesday or
> at least on Thursday.
>
> Thanks for your understanding.
>
> Cheers,
> Olly
>
>
> Am 04.08.11 14:38, schrieb Oliver Hader:
>> Hi Steffen,
>>
>> Am 04.08.11 10:03, schrieb Steffen Müller:
>>> Hi,
>>>
>>> the bugreport itself is read protected:
>>> http://forge.typo3.org/issues/26876
>>>
>>> But since the chageset was merged to master, git log reveals
>>> "Unprivileged backend user can read arbitrarily from database"
>>>
>>> The changeset is also public in gerrit:
>>> https://review.typo3.org/#change,4056
>>>
>>> Question is: Is it critical and will a new release follow?
>>
>> It's critical if you used those legacy setup and if (regular) backend
>> users might cause damage to the system. The security patches from last
>> week already showed how this could be exploited and also how it was
>> fixed - so it's not critical in terms of having new security releases
>> (besides that those releases won't be announced... ;-)
>>
>> But since there was one regression, it's planned to have new releases
>> for 4.3, 4.4 and 4.5 next Tuesday Aug 9th 2011.
>>
>> BTW: I've create some snapshot releases yesterday that already have
>> those regression fixes. These packages contain blankpackage and dummy -
>> as it has been requested in another thread on packaging in this thread.
>>
>> If you wanna check these (unofficial) snapshot releases here's the link:
>> http://sourceforge.net/projects/typo3/files/TYPO3%20Source%20and%20Dummy/
>>
>> Cheers,
>> Olly
--
Oliver Hader
TYPO3 v4 Core Team Leader
TYPO3 .... inspiring people to share!
Get involved: http://typo3.org
More information about the TYPO3-team-core
mailing list