Debian Security Advisory

DSA-1439-1 typo3-src -- missing input sanitising

Date Reported:
28 Dec 2007
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 457446.
In Mitre's CVE dictionary: CVE-2007-6381.
More information:

Henning Pingel discovered that TYPO3, a web content management framework, performs insufficient input sanitising, making it vulnerable to SQL injection by logged-in backend users.

The old stable distribution (sarge) doesn't contain typo3-src.

For the stable distribution (etch), this problem has been fixed in version 4.0.2+debian-4.

For the unstable distribution (sid) and for the testing distribution (lenny), this problem has been fixed in version 4.1.5-1.

We recommend that you upgrade your typo3-src packages.

Fixed in:

Debian GNU/Linux 4.0 (stable)

Architecture-independent component:

MD5 checksums of the listed files are available in the original advisory.