found in TYPO3 core.
http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-016/
2009-10-22 Oliver Hader <oliver@typo3.org>
* Release of TYPO3 4.2.10
2009-10-22 Ernesto Baschny <ernst@cron-it.de>
* Security Issue #11664: Updated RemoveXSS code to the latest knowledge in this area (thanks to Jigal van Hemert)
* Fixed bug #11586: Potential SQL injection in frontend editing (thanks to Oliver Klee)
* Fixed bug #12309: It was possible to gain access to the Install Tool by only knowing the md5 hash of the password.
* Fixed bug #12310: Encryption key can be recalculated when using normal mailform when [FE][strictFormmail] == 0 (thanks to Oliver Klee)
* Fixed bug #12090: Filenames should be escaped with escapeshellarg before passing them to imagemagick (thanks to Oliver Klee)
* Fixed bug #12303: XSS vulnerability due to not proper sanitizing in function t3lib_div::quoteJSvalue (thanks to Oliver Klee)
* Fixed bug #12304: Frame inclusion in the backend through alt_mod_frameset (thanks to Oliver Klee)
* Fixed bug #12305: XSS vulnerability in view_help.php / tfID parameter (thanks to Oliver Klee)
* Fixed bug #12306: XSS vulnerability in module dispatcher
* Fixed bug #12307: XSS vulnerability in alt_palette (thanks to Oliver Klee)
* Fixed bug #12308: XSS vulnerability in "DB > Full search" functionality
* Fixed bug #10501: XSS vulnerability in the install tool (thanks to Oliver Klee)
2009-10-21 Rupert Germann <rupi@gmx.li>
* Fixed bug #12280: Error Message while creating empty Folders (thanks to Daniel Schmitzer)
* Fixed bug #12300 (Follow-up to 11995): Output compression breaks prompt for keyboard input in CLI scripts
2009-10-21 Steffen Kamper <info@sk-typo3.de>
* Fixed bug #12272: Steps disregarded in t3lib_lock (thanks to Dan Osipov)
2009-10-15 Rupert Germann <rupi@gmx.li>
* Fixed bug #8728: PHP Warning, if SQL error occurs in class t3lib_db in functions which depend on an existing resultset (thanks to Felix Oertel)
2009-10-11 Rupert Germann <rupi@gmx.li>
* Fixed bug #10971: Fatal error in impexp module: Call to a member function includeLLFile() on a non-object (thanks to Andre Steiling)
2009-10-10 Rupert Germann <rupi@gmx.li>
* Fixed bug #12129 (follow-up to bug #11986): Translation update broken with activated output compression (thanks to Steffen Gebert)
2009-09-29 Oliver Hader <oliver@typo3.org>
* Fixed bug #11433: touch(): Utime failed in install tool (thanks to Steffen Gebert)
It is bug fix release and this is a leaf package.
2009-09-28 Ingmar Schlecht <ingmar@typo3.org>
* Release of TYPO3 4.2.9
2009-09-20 Francois Suter <francois@typo3.org>
* Fixed bug #11995: Prompt for keyboard input does not get displayed in CLI scripts
* Fixed bug #11224: Special menu directory only renders 1st level if special.value is a mount point (Thanks to Xavier Perseguers)
2009-09-19 Rupert Germann <rupi@gmx.li>
* Fixed bug #11986: dynamic update of translation status im EM is broken
2009-09-17 Rupert Germann <rupi@gmx.li>
* Fixed bug #9270: Editors can´t undelete records in history (thanks to Christian Hernmarck)
2009-09-15 Stanislas Rolland <typo3@sjbr.ca>
* Fixed bug #11915: htmlArea RTE: superfluous span tags in content after server-based cleaning on paste operation
* Updated htmlArea RTE version to 1.7.12 (branch TYPO3_4-2)
* Follow-up to bug #11946: htmlArea RTE: reference was made to context menu item after context menu was closed
2009-09-13 Stanislas Rolland <typo3@sjbr.ca>
* Fixed bug #11847: htmlArea RTE displays empty editing area in Opera 10
* Fixed bug #11946: htmlArea RTE: table properties editing dialogue windows loose focus after opening in IE8
2009-09-01 Oliver Hader <oliver@typo3.org>
* Fixed bug #11845: Typo in a CLI error mesage: suue -> sure (thanks to Oliver Klee)
2009-08-26 Michael Stucki <michael@typo3.org>
* Fixed bug #11731: ENABLE_INSTALL_TOOL file check in yellow box does not check the file age (thanks to Moreno Feltscher)
2009-08-19 Michael Stucki <michael@typo3.org>
* Fixed bug #11716: Install Tool always sets TYPO3_CONF_VARS[FE][disableNoCacheParameter] upon save
2009-08-14 Michael Stucki <michael@typo3.org>
* Fixed bug #8968: DBAL incompatible SQL in "impexp" extension (thanks to Marc Bastian Heinrichs)
2009-08-12 Michael Stucki <michael@typo3.org>
* Follow-up to bug #11513: Shorten one ident field which is known to be too long (solved the issue on those setups where the DB is not updated)
* Fixed bug #11513: cache_hash table could not be filled because information field (ident) was too short (thanks to Ingo Schmitt)
2009-08-02 Oliver Hader <oliver@typo3.org>
* Fixed bug #10769: Wrong encoded email header (thanks to Ivan Kartolo)
2009-07-20 Ingo Renner <ingo@typo3.org>
* Fixed bug: #11006: Tooltip for page path in Page/List module is missing (thanks to Steffen Gebert)
2009-07-19 Oliver Hader <oliver@typo3.org>
* Fixed bug #6875: IRRE - Sorting of child records is inverted on moving parent record to different page (thanks to Nabil Saleh)
2009-07-09 Martin Kutschker <masi@typo3.org>
* Fixed bug: same error message is used twice for different errors
2009-07-08 Oliver Hader <oliver@typo3.org>
* Fixed bug #11412: Using typolinkLinkAccessRestrictedPages does not take different domain names into account
From release announce.
-----------------------------------------------------------------------
Dear TYPO3 users,
we are announcing the release of the following TYPO3 updates:
- TYPO3 4.2.8
- TYPO3 4.1.12
- TYPO3 4.0.13
All versions are maintenance releases and contain only bugfixes
and minor security improvements (no critical fixes of vulnerabilities).
Notice: Due to a bug which was reported to us short after the release of
TYPO3 versions 4.1.11 and 4.2.7, we stopped the release of the
announcement and prepared new versions that fix this (minor) issue.
TYPO3 4.0.13 which was already released yesterday was not affected by
this bug.
For details about the release, visit the following websites:
http://wiki.typo3.org/TYPO3_4.2.8http://wiki.typo3.org/TYPO3_4.1.12http://wiki.typo3.org/TYPO3_4.0.13
Quote from release announce is here and see ChangeLog for detail.
All versions are maintenance releases and contain bugfixes
and security fixes.
IMPORTANT: These versions include an important security fix
to the TYPO3 core. A security announcement has just been
released:
http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-002/
All versions are maintenance releases and contain only bugfixes.
IMPORTANT: These versions contain important fixes of regressions from
the earlier versions released 20 January 2009, but they do not contain
additional security fixes.
ChangeLog:
2009-01-24 Ingmar Schlecht <ingmar@typo3.org>
* Release of TYPO3 4.2.5
2009-01-24 Ingmar Schlecht <ingmar@typo3.org>
* Fixed bug #10205: DB session record is only created when user is authenticated (thanks also to Michael Stucki)
2009-01-20 Steffen Kamper <info@sk-typo3.de>
* Fixed bug #9345: Bug: CSV export includes _CLIPBOARD_ in header row (thanks to Christian Kuhn)
This update contains security fixes and please refer ChangeLog file
for full changes.
1. System extension Install tool (install)
Insecure Randomness
2. Authentication library
Broken Authentication and Session Management
3. System extension Indexed Search Engine (indexed_search)
Cross-Site Scripting, Remote Command Execution
4. System extension ADOdb (adodb)
Cross-Site Scripting
5. Workspace module
Cross-Site Scripting
After update, you will need to create a new encryption key.
(1) Upgrade to the new TYPO3 version.
(2) Clear the configuration cache
(3) Open the install tool and choose menu 1 ("Basic Configuration").
(4) Scroll to the bottom of the page and click on the button
"Generate random key".
(5) Submit the form by clicking on "Update localconf.php".
(6) Clear the configuration and page cache again.
TYPO3 is a free Open Source content management system for enterprise
purposes on the web and in intranets. It offers full flexibility and
extendability while featuring an accomplished set of ready-made
interfaces, functions and modules.
