1
0
mirror of https://git.FreeBSD.org/ports.git synced 2024-12-23 04:23:08 +00:00

add entry for typo3-9 and typo3-10

PR:		248430 248429
Sponsored by:	Netzkommune GmbH
This commit is contained in:
Jochen Neumeister 2020-08-04 09:30:44 +00:00
parent 846b6b2e0f
commit 7843b6c9b0
Notes: svn2git 2021-03-31 03:12:20 +00:00
svn path=/head/; revision=544152

View File

@ -58,6 +58,56 @@ Notes:
* Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
<vuln vid="eab964f8-d632-11ea-9172-4c72b94353b5">
<topic>typo3 -- multiple vulnerabilities</topic>
<affects>
<package>
<name>typo3-9-php72</name>
<name>typo3-9-php73</name>
<name>typo3-9-php74</name>
<range><lt>9.5.20</lt></range>
</package>
<package>
<name>typo3-10-php72</name>
<name>typo3-10-php73</name>
<name>typo3-10-php74</name>
<range><lt>10.4.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Typo3 Team reports:</p>
<blockquote cite="https://typo3.org/article/typo3-1046-and-9520-security-releases-published">
<p>In case an attacker manages to generate a valid cryptographic message authentication
code (HMAC-SHA1) - either by using a different existing vulnerability or in case the
internal encryptionKey was exposed - it is possible to retrieve arbitrary files of a
TYPO3 installation. This includes the possibility to fetch typo3conf/LocalConfiguration.php
which again contains the encryptionKey as well as credentials of the database management
system being used.
In case a database server is directly accessible either via internet or in a shared hosting
network, this allows to completely retrieve, manipulate or delete database contents.
This includes creating an administration user account - which can be used to trigger remote
code execution by injecting custom extensions.</p>
<p>It has been discovered that an internal verification mechanism can be used to generate
arbitrary checksums. This allows to inject arbitrary data having a valid cryptographic
message authentication code (HMAC-SHA1) and can lead to various attack chains as described
below.</p>
</blockquote>
</body>
</description>
<references>
<url>https://typo3.org/article/typo3-1046-and-9520-security-releases-published</url>
<url>https://typo3.org/security/advisory/typo3-core-sa-2020-007</url>
<url>https://typo3.org/security/advisory/typo3-core-sa-2020-008</url>
<cvename>CVE-2020-15098</cvename>
<cvename>CVE-2020-15099</cvename>
</references>
<dates>
<discovery>2020-07-28</discovery>
<entry>2020-08-04</entry>
</dates>
</vuln>
<vuln vid="3c7ba82a-d3fb-11ea-9aba-0c9d925bbbc0">
<topic>xorg-server -- Pixel Data Uninitialized Memory Information Disclosure</topic>
<affects>