Mailinglist Archive: opensuse-updates (119 mails)

< Previous Next >
openSUSE-SU-2013:0510-1: moderate: typo3-cms-4_5/typo3-cms-4_6/typo3-cms-4_7: security and bugfix updates
openSUSE Security Update: typo3-cms-4_5/typo3-cms-4_6/typo3-cms-4_7:
security and bugfix updates
______________________________________________________________________________

Announcement ID: openSUSE-SU-2013:0510-1
Rating: moderate
References: #808528
Cross-References: CVE-2013-1842 CVE-2013-1843
Affected Products:
openSUSE 12.3
______________________________________________________________________________

An update that fixes two vulnerabilities is now available.

Description:


The Typo3 CMS versions were updated to receive security and
bug fixes.

- Raised to version 4.5.25

* bugfix: External URL regression by jumpurl security fix
(Helmut Hummel), t3#46071

- Raised to version 4.5.24
* Raise submodule pointer (TYPO3 Release Team)
* security: Open redirection with jumpurl (Franz G.
Jahn), t3#28587, bnc#808528, CVE-2013-1843
* bugfix: Check minitems for TCAtree (Georg Ringer),
t3#25003
* bugfix: Keep hyphens in custom HTML5 attributes (Jigal
van Hemert), t3#34371
* Revert "[BUGFIX] FE session records are never removed"
(Oliver Hader), t3#45570
- security fix: Typo3 Extbase Framework SQL Injection,
bnc#808528, CVE-2013-1842

- Raised to version 4.5.23
* Raise submodule pointer
* bugfix: t3lib_iconWorks must check if array exists
before using it, t3#24248
* bugfix: BE user switch impossible when in adminOnly
mode, t3#32686
* bugfix: Excludefieds must exclude admin only tables,
t3#34460
* bugfix: TypoLink: absolute urls when installed in
subfolder, t3#33214
* Raise submodule pointer
* bugfix: [Cache][PDO] Duplicate cache entry possible,
t3#34129
* bugfix: IE9 compatibility clear cache menu, t3#36364
* bugfix: Hook call modifyDBRow in ContentContentObject,
t3#44416
* bugfix: Fix misspelling in RTE meta menu, t3#43886
* bugfix: load TCA before manipulation, t3#38505
* DataHandler::getAutoVersionId() should be public,
t3#45050
* bugfix: Load date-time picker in scheduler module,
t3#31027
* bugfix: Quick Edit triggers warnings of missing key
uid, t3#42845
* Raise submodule pointer
* bugfix: Fix warnings in em on tab Maintenance, t3#39680
* bugfix: Correct TCA inclusion for uploads rendering,
t3#44145
* bugfix: Update description on changed error reporting
defaults, t3#38240
* bugfix: Fix typos in stdWrap_crop description, t3#43919
* bugfix: Apc Cache backend has side effects, t3#38135
* bugfix: Invalid call to
t3lib_TCEmain::processRemapStack(), t3#44301
* Raise submodule pointer
* bugfix: Suggest wizard is behind form inputs, t3#42092
* bugfix: phpdoc: $urlParameters can be a string, t3#44263
* bugfix: FE session records are never removed, t3#34964
* bugfix: INTincScript_loadJSCode() causes PHP warnings,
t3#32278
* bugfix: Enable the RTE with WebKit version 534 on iOS
and Android, t3#43603
* bugfix: Remove HTML in RuntimeException from sysext
'install', t3#38472
* bugfix: Fix wrong column title in web>list for field
colpos, t3#25113
* bugfix: SqlParser: trim all kinds of whitespaces,
t3#43470
* Remove typo3.pageModule.js, t3#43459
* bugfix: Installer: Reference images wrong, t3#42292
* bugfix: Page Information shows incorrect number of
total hits, t3#41608
* bugfix: Old logo on "Install Tool is locked" page,
t3#42908
* openid: Update php-openid to 2.2.2, t3#42236
* Group excludefields by table, t3#34098
* bugfix: Hide version selector if workspaces are used,
t3#43264
* Raise submodule pointer

- Raised verstion to 4.6.18
* bugfix: External URL regression by jumpurl security fix
(Helmut Hummel), t3#46071

- Raised version to 4.6.17
* Raise submodule pointer (TYPO3 Release Team)
* security: Open redirection with jumpurl (Franz G.
Jahn), t3#28587, bnc#808528, CVE-2013-1843
- security fix: Typo3 Extbase Framework SQL Injection,
bnc#808528, CVE-2013-1842

- Raised version to 4.6.16
* bugfix: L10n fallback does not work for TS labels,
t3#44099
* bugfix: L10n fallback does not work for ExtJS in BE,
t3#44273
* Raise submodule pointer
* bugfix: Allow "en" as language key, t3#42084
* Raise submodule pointer
* bugfix: [Cache][PDO] Duplicate cache entry possible,
t3#34129
* bugfix: IE9 compatibility clear cache menu, t3#36364
* bugfix: Hook call modifyDBRow in ContentContentObject,
t3#44416
* bugfix: Fix misspelling in RTE meta menu, t3#43886
* bugfix: load TCA before manipulation, t3#38505
* bugfix: add check for empty form values in FORM View,
t3#28606
* DataHandler::getAutoVersionId() should be public,
t3#45050
* bugfix: Quick Edit triggers warnings of missing key
uid, t3#42845
* Raise submodule pointer
* bugfix: Fix warnings in em on tab Maintenance, t3#39680
* bugfix: Correct TCA inclusion for uploads rendering,
t3#44145
* bugfix: Update description on changed error reporting
defaults, t3#38240
* bugfix: Fix typos in stdWrap_crop description, t3#43919
* bugfix: Apc Cache backend has side effects, t3#38135
* bugfix: Invalid call to
t3lib_TCEmain::processRemapStack(), t3#44301
* Raise submodule pointer
* bugfix: Suggest wizard is behind form inputs, t3#42092
* bugfix: phpdoc: $urlParameters can be a string, t3#44263
* bugfix: FE session records are never removed, t3#34964
* bugfix: INTincScript_loadJSCode() causes PHP warnings,
t3#32278
* bugfix: Fix broken logo file in Install Tool, t3#43426
* bugfix: Remove HTML in RuntimeException from sysext
'install', t3#38472
* bugfix: Fix wrong column title in web>list for field
colpos, t3#25113
* bugfix: SqlParser: trim all kinds of whitespaces,
t3#43470
* Remove typo3.pageModule.js, t3#43459
* bugfix: Installer: Reference images wrong, t3#42292
* bugfix: Page Information shows incorrect number of
total hits, t3#41608
* bugfix: Old logo on "Install Tool is locked" page,
t3#42908
* bugfix: Form values with newlines escaped in email,
t3#32515
* openid: Update php-openid to 2.2.2, t3#42236
* bugfix: Wizard in HTML element moved to t3editor,
t3#33813
* bugfix: Livesearch toolbar should close others, t3#32890
* bugfix: Hide version selector if workspaces are used,
t3#43264
* bugfix: Subject field in FormWizard, t3#35787
* Raise submodule pointer
* bugfix: Invalid behavior of search for integer in
Backend search, t3#33700
* fluid, bugfix: Unit test fails with broken timezone,
t3#45285
* fluid, bugfix: Date ViewHelper not using configured
Timezones, t3#12769
* fluid, bugfix: Fix typo and improve backup of system
settings, t3#45218
* fluid, bugfix: Remove PHP Error caused by setlocale
call, t3#45118
* fluid, bugfix: Incomplete locale backup in unit test,
t3#44835
* fluid, bugfix: selectViewHelper sorting should respect
locales, t3#43445
* fluid, bugfix: Image viewhelper clears $GLOBALS['TSFE']
in backend context, t3#43446
* fluid, bugfix: AbstractFormFieldViewHelper always
converts entities, t3#34091
* linkvalidator, bugfix: SQL error in getLinkCounts,
t3#43322
* version, bugfix: Catchable fatal error when using the
swap button, t3#42948

- Raised to version 4.7.10
* bugfix: External URL regression by jumpurl security fix
(Helmut Hummel), t3#46071

- Added rpmlintrc to suppress duplicated files warning.

- Raised to version 4.7.9
* Raise submodule pointer (TYPO3 Release Team)
* security: Open redirection with jumpurl (Franz G.
Jahn), t3#28587, bnc#808528, CVE-2013-1843
* bugfix: Invalid RSA key when submitting form twice
(Benjamin Mack), t3#40085
- security fix: Typo3 Extbase Framework SQL Injection,
bnc#808528, CVE-2013-1842

- Raised to version 4.7.8
* bugfix: L10n fallback does not work for TS labels,
t3#44099
* bugfix: L10n fallback does not work for ExtJS in BE,
t3#44273
* Raise submodule pointer
* bugix: Allow "en" as language key, t3#42084
* Raise submodule pointer
* bugfix: [Cache][PDO] Duplicate cache entry possible,
t3#34129
* bugfix: IE9 compatibility clear cache menu, t3#36364
* bugfix: Hook call modifyDBRow in ContentContentObject,
t3#44416
* bugfix: Fix misspelling in RTE meta menu, t3#43886
* bugfix: load TCA before manipulation, t3#38505
* bugfix: add check for empty form values in FORM View,
t3#28606
* DataHandler::getAutoVersionId() should be public,
t3#45050
* bugfix: Possible warning in about module, t3#44892
* bugfix: Quick Edit triggers warnings of missing key
uid, t3#42845
* Raise submodule pointer
* bugfix: Fix warnings in em on tab Maintenance, t3#39680
* bugfix: EXT:felogin: Multiple bugs with
preserveGETvars, t3#19938
* bugfix: Correct TCA inclusion for uploads rendering,
t3#44145
* bugfix: array_merge_recursive_overrule: __UNSET for
array values, t3#43874
* bugfix: Update description on changed error reporting
defaults, t3#38240
* bugfix: Fix typos in stdWrap_crop description, t3#43919
* Add save only button to Scheduler task, t3#44152
* bugfix: Apc Cache backend has side effects, t3#38135
* bugfix: Invalid call to
t3lib_TCEmain::processRemapStack(), t3#44301
* Raise submodule pointer
* Suggest wizard is behind form inputs, t3#42092
* bugfix: phpdoc: $urlParameters can be a string, t3#44263
* bugfix: FE session records are never removed, t3#34964
* bugfix: INTincScript_loadJSCode() causes PHP warnings,
t3#32278
* bugfix: Fix broken logo file in Install Tool, t3#43426
* bugfix: Enable the RTE with WebKit version 534 on iOS
and Android, t3#43603
* bugfix: IE9 crashes after saving with RTE, t3#43766
* bugfix: Remove HTML in RuntimeException from sysext
'install', t3#38472
* bugfix: Compatibility fix for
get_html_translation_table(), t3#39287
* bugfix: Fix wrong column title in web>list for field
colpos, t3#25113
* bugfix: SqlParser: trim all kinds of whitespaces,
t3#43470
* Remove typo3.pageModule.js, t3#43459
* bugfix: Installer: Reference images wrong, t3#42292
* bugfix: Page Information shows incorrect number of
total hits, t3#41608
* bugfix: Old logo on "Install Tool is locked" page,
t3#42908
* bugfix: Form values with newlines escaped in email,
t3#32515
* openid: Update php-openid to 2.2.2, t3#42236
* bugfix: Hide version selector if workspaces are used.
t3#43264
* bugfix: Subject field in FormWizard, t3#35787
* Raise submodule pointer
* Invalid behavior of search for integer in Backend
search, t3#33700


Patch Instructions:

To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

- openSUSE 12.3:

zypper in -t patch openSUSE-2013-232

To bring your system up-to-date, use "zypper patch".


Package List:

- openSUSE 12.3 (noarch):

typo3-cms-4_5-4.5.25-2.4.1
typo3-cms-4_6-4.6.18-2.4.1
typo3-cms-4_7-4.7.10-2.4.1


References:

http://support.novell.com/security/cve/CVE-2013-1842.html
http://support.novell.com/security/cve/CVE-2013-1843.html
https://bugzilla.novell.com/808528


< Previous Next >
This Thread
  • No further messages