[TYPO3-core] Issue #26876 is public...

Oliver Hader oliver.hader at typo3.org
Fri Aug 12 12:12:09 CEST 2011


Hi everybody,

besides the possibility to solve the real problem, there's a new patch
that adds a fallback for websites out of the box. The changes are
considered to be integrated to TYPO3 4.5, 4.4 and 4.3. TYPO3 4.6 will
stay as it is.

Since these changes require a bit more feedback, please have a look to:
https://review.typo3.org/#q,status:open+project:TYPO3v4/Core+topic:28847,n,z

Thanks in advance!

Cheers,
Olly


Am 10.08.11 13:51, schrieb Oliver Hader:
> Hi everybody,
> 
> since there have been some changesets on review.typo3.org with the aim
> to get an alternative solution on the know fontTag security fix that was
> already released, I created an additional analyzer.
> 
> So, if you did not upgrade yet or "patched away" the fontTag fix since
> you did not know what side-effects to expect on your servers with
> thousands of TYPO3 instances, then you can use that tool to have some
> basic checks. Find more information in the README.txt file there:
> https://svn.typo3.org/TYPO3v4/Extensions/ollytest/trunk/analyze/
> 
> So, in case this is helpful for somebody, please give me some feedback -
> here on the list or if you prefer directly by private mail as well.
> 
> Cheers,
> Olly
> 
> 
> Am 09.08.11 13:09, schrieb Oliver Hader:
>> Hi everybody,
>>
>> initially we planned to have a release today. However there are some
>> initiatives and concerns on the fonttag security fix that are still
>> discussed. So hopefully we can have a release tomorrow on Wednesday or
>> at least on Thursday.
>>
>> Thanks for your understanding.
>>
>> Cheers,
>> Olly
>>
>>
>> Am 04.08.11 14:38, schrieb Oliver Hader:
>>> Hi Steffen,
>>>
>>> Am 04.08.11 10:03, schrieb Steffen Müller:
>>>> Hi,
>>>>
>>>> the bugreport itself is read protected:
>>>> http://forge.typo3.org/issues/26876
>>>>
>>>> But since the chageset was merged to master, git log reveals
>>>> "Unprivileged backend user can read arbitrarily from database"
>>>>
>>>> The changeset is also public in gerrit:
>>>> https://review.typo3.org/#change,4056
>>>>
>>>> Question is: Is it critical and will a new release follow?
>>>
>>> It's critical if you used those legacy setup and if (regular) backend
>>> users might cause damage to the system. The security patches from last
>>> week already showed how this could be exploited and also how it was
>>> fixed - so it's not critical in terms of having new security releases
>>> (besides that those releases won't be announced... ;-)
>>>
>>> But since there was one regression, it's planned to have new releases
>>> for 4.3, 4.4 and 4.5 next Tuesday Aug 9th 2011.
>>>
>>> BTW: I've create some snapshot releases yesterday that already have
>>> those regression fixes. These packages contain blankpackage and dummy -
>>> as it has been requested in another thread on packaging in this thread.
>>>
>>> If you wanna check these (unofficial) snapshot releases here's the link:
>>> http://sourceforge.net/projects/typo3/files/TYPO3%20Source%20and%20Dummy/
>>>
>>> Cheers,
>>> Olly
> 
> 


-- 
Oliver Hader
TYPO3 v4 Core Team Leader

TYPO3 .... inspiring people to share!
Get involved: http://typo3.org


More information about the TYPO3-team-core mailing list