openSUSE Security Update: typo3-cms-4_5: Update to 4.5.34 to fix eight security issues ______________________________________________________________________________ Announcement ID: openSUSE-SU-2014:0813-1 Rating: moderate References: #881280 #881281 #881282 Cross-References: CVE-2014-3941 CVE-2014-3942 CVE-2014-3943 Affected Products: openSUSE 13.1 openSUSE 12.3 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: typo3-cms-4_5 was updated to version 4.5.34 to fix eight security vulnerabilities and several other bugs. These security problems where fixed: * Add trusted HTTP_HOST configuration (CVE-2014-3941) * XSS in (old) extension manager information function (CVE-2014-3943) * XSS in new content element wizard (CVE-2014-3943) * XSS in template tools on root page (CVE-2014-3943) * XSS in Backend Layout Wizard (CVE-2014-3943) * Encode URL for use in JavaScript (CVE-2014-3943) * Fix insecure unserialize in colorpicker (CVE-2014-3942) * Remove charts.swf to get rid of XSS vulnerability (CVE-2014-3943) Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.1: zypper in -t patch openSUSE-2014-429 - openSUSE 12.3: zypper in -t patch openSUSE-2014-429 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.1 (noarch): typo3-cms-4_5-4.5.34-2.4.1 - openSUSE 12.3 (noarch): typo3-cms-4_5-4.5.34-2.8.1 References: http://support.novell.com/security/cve/CVE-2014-3941.html http://support.novell.com/security/cve/CVE-2014-3942.html http://support.novell.com/security/cve/CVE-2014-3943.html https://bugzilla.novell.com/881280 https://bugzilla.novell.com/881281 https://bugzilla.novell.com/881282