mirror of
https://git.FreeBSD.org/ports.git
synced 2024-12-23 04:23:08 +00:00
add entry for typo3-9 and typo3-10
PR: 248430 248429 Sponsored by: Netzkommune GmbH
This commit is contained in:
parent
846b6b2e0f
commit
7843b6c9b0
Notes:
svn2git
2021-03-31 03:12:20 +00:00
svn path=/head/; revision=544152
@ -58,6 +58,56 @@ Notes:
|
||||
* Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
|
||||
-->
|
||||
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
|
||||
<vuln vid="eab964f8-d632-11ea-9172-4c72b94353b5">
|
||||
<topic>typo3 -- multiple vulnerabilities</topic>
|
||||
<affects>
|
||||
<package>
|
||||
<name>typo3-9-php72</name>
|
||||
<name>typo3-9-php73</name>
|
||||
<name>typo3-9-php74</name>
|
||||
<range><lt>9.5.20</lt></range>
|
||||
</package>
|
||||
<package>
|
||||
<name>typo3-10-php72</name>
|
||||
<name>typo3-10-php73</name>
|
||||
<name>typo3-10-php74</name>
|
||||
<range><lt>10.4.6</lt></range>
|
||||
</package>
|
||||
</affects>
|
||||
<description>
|
||||
<body xmlns="http://www.w3.org/1999/xhtml">
|
||||
<p>Typo3 Team reports:</p>
|
||||
<blockquote cite="https://typo3.org/article/typo3-1046-and-9520-security-releases-published">
|
||||
<p>In case an attacker manages to generate a valid cryptographic message authentication
|
||||
code (HMAC-SHA1) - either by using a different existing vulnerability or in case the
|
||||
internal encryptionKey was exposed - it is possible to retrieve arbitrary files of a
|
||||
TYPO3 installation. This includes the possibility to fetch typo3conf/LocalConfiguration.php
|
||||
which again contains the encryptionKey as well as credentials of the database management
|
||||
system being used.
|
||||
In case a database server is directly accessible either via internet or in a shared hosting
|
||||
network, this allows to completely retrieve, manipulate or delete database contents.
|
||||
This includes creating an administration user account - which can be used to trigger remote
|
||||
code execution by injecting custom extensions.</p>
|
||||
<p>It has been discovered that an internal verification mechanism can be used to generate
|
||||
arbitrary checksums. This allows to inject arbitrary data having a valid cryptographic
|
||||
message authentication code (HMAC-SHA1) and can lead to various attack chains as described
|
||||
below.</p>
|
||||
</blockquote>
|
||||
</body>
|
||||
</description>
|
||||
<references>
|
||||
<url>https://typo3.org/article/typo3-1046-and-9520-security-releases-published</url>
|
||||
<url>https://typo3.org/security/advisory/typo3-core-sa-2020-007</url>
|
||||
<url>https://typo3.org/security/advisory/typo3-core-sa-2020-008</url>
|
||||
<cvename>CVE-2020-15098</cvename>
|
||||
<cvename>CVE-2020-15099</cvename>
|
||||
</references>
|
||||
<dates>
|
||||
<discovery>2020-07-28</discovery>
|
||||
<entry>2020-08-04</entry>
|
||||
</dates>
|
||||
</vuln>
|
||||
|
||||
<vuln vid="3c7ba82a-d3fb-11ea-9aba-0c9d925bbbc0">
|
||||
<topic>xorg-server -- Pixel Data Uninitialized Memory Information Disclosure</topic>
|
||||
<affects>
|
||||
|
Loading…
Reference in New Issue
Block a user