Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 17 Oct 2014 13:30:06 +0300
From: Henri Salo <henri@...v.fi>
To: oss-security@...ts.openwall.com
Cc: TYPO3 Security Team <security@...o3.org>
Subject: CVE request: TYPO3-EXT-SA-2014-013

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Can I get one 2014 CVE for following TYPO3 extension issue, thank you.

It has been discovered that the extension "Calendar Base" (cal) is susceptible
to Denial of Service.

Release Date: October 17, 2014
Affected Versions: all versions of 0.x.x, 1.0.x, 1.1.x, 1.2.x, 1.3.x, 1.4.x;
1.5.8 and below of 1.5.x; 1.6.0

Vulnerability Type: Denial of Service
Severity: Medium
Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C

Problem Description: User input is passed to PHP's PCRE library without
validating it beforehand. Depending on user input this may consume a tremendous
amount of system resources.

Solution: Updated versions 1.5.9 (for TYPO3 CMS 4.5.5 - 6.0.99) and 1.6.1 (for
TYPO3 CMS 6.1.0 - 6.2.99) are available from the TYPO3 extension manager and at
http://typo3.org/extensions/repository/download/cal/1.6.1/t3x/ and
http://typo3.org/extensions/repository/download/cal/1.5.9/t3x/. Users of the
extension are advised to update the extension as soon as possible.

Credits: Credits go to Daniel Hahler and Bernd Schuhmacher who discovered and
reported the issue.

- ---
Henri Salo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlRA764ACgkQXf6hBi6kbk8GfwCeKDJx4lm7rAXgrtnC8wHV4H7G
qSwAoMa4zQF02P3BBT0t7GqlN5ZYJjJS
=6CEb
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ