openSUSE Security Update: typo3-cms-4_5: Update to 4.5.34 to fix eight security issues ______________________________________________________________________________
Announcement ID: openSUSE-SU-2014:0813-1 Rating: moderate References: #881280 #881281 #881282 Cross-References: CVE-2014-3941 CVE-2014-3942 CVE-2014-3943
Affected Products: openSUSE 13.1 openSUSE 12.3 ______________________________________________________________________________
An update that fixes three vulnerabilities is now available.
Description:
typo3-cms-4_5 was updated to version 4.5.34 to fix eight security vulnerabilities and several other bugs.
These security problems where fixed: * Add trusted HTTP_HOST configuration (CVE-2014-3941) * XSS in (old) extension manager information function (CVE-2014-3943) * XSS in new content element wizard (CVE-2014-3943) * XSS in template tools on root page (CVE-2014-3943) * XSS in Backend Layout Wizard (CVE-2014-3943) * Encode URL for use in JavaScript (CVE-2014-3943) * Fix insecure unserialize in colorpicker (CVE-2014-3942) * Remove charts.swf to get rid of XSS vulnerability (CVE-2014-3943)
Patch Instructions:
To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product:
- openSUSE 13.1:
zypper in -t patch openSUSE-2014-429
- openSUSE 12.3:
zypper in -t patch openSUSE-2014-429
To bring your system up-to-date, use "zypper patch".
Package List:
- openSUSE 13.1 (noarch):
typo3-cms-4_5-4.5.34-2.4.1
- openSUSE 12.3 (noarch):
typo3-cms-4_5-4.5.34-2.8.1
References:
http://support.novell.com/security/cve/CVE-2014-3941.html http://support.novell.com/security/cve/CVE-2014-3942.html http://support.novell.com/security/cve/CVE-2014-3943.html https://bugzilla.novell.com/881280 https://bugzilla.novell.com/881281 https://bugzilla.novell.com/881282