about
blog
tutorials
Currently the posts are filtered by: advisory
Reset this filter to see all posts.
Removal advices in TYPO3 Security Bulletins
Posted in advisory/ on June 19, 2009 by .
Your requests for vulnerability details
In a recent TYPO3 Security Advisory/Bulletin, the TYPO3 Security team advised to uninstall and delete a vulnerable extension.
This generally only happens when we didn't manage to get in contact with the extension owner. After we've published this bulletin, we were contacted by individuals and web agencies who expressed their wish to fix the vulnerability - mainly because they were using the extension in question.
Whenever the TYPO3 Security Team finds a vulnerability in an extension and is unable to reach the registered extension owner (doesn't reply to our mails, mail address no longer valid), the TYPO3 Security Team advices to uninstall and remove the extension.
We of course are aware of the fact that this extension might be deployed on a lot of TYPO3 systems out. This procedure is not about annoying you at all.
Being unable to contact the extension owner means that the extension is no longer maintained.
No matter how easy it is to fix the vulnerability and that we might patch the extension by ourselves, we'll again face the same situation whenever a further vulnerability in the extension is reported.
The TYPO3 Security Team does not maintain extensions.
It also happened in the past that the extension owner contacted us and was willing to maintain the extension some time after we published the bulletin.
In case we still aren't contacted by the extension owner, we cannot simply
- disclose vulnerability details to other users/agencies that use the extension and are willing to maintain it
- transfer the extension key to other users/agencies that are willing to maintain the extension
Reasons:
(ad 1) We obviously don't want exploits in the wild and might not be able to put trust in you who has contacted us by email.
(ad 2) The extension owner "owns" the extension. We cannot simply remove the ownership. You might want to contact the TYPO3 Association and ask them to transfer the key to you. Transferrals of keys is not a TYPO3 Security Team task.
Thank you for your understanding.
First things first
Posted in advisory/ on April 21, 2009 by .
Subscribe to the announce mailinglist
As security aware person you want to be informed of security updates. Nothing easier than that. The TYPO3 announce mailinglist is a low traffic list; only common major minor releases are announced besides the important security updates.
On that list, security fixes for the TYPO3 Core and for TYPO3 extensions (available in TER) are announced.
In the past, for severe vulnerabilities and according security fixes pre-announcement have been posted there so that every TYPO3 admin is prepared for immediate action.
So, if you are maintaining TYPO3 websites, please make sure to be subscribed to that list.
In addition, you might want to subscribe to the Security newsfeed listed on http://news.typo3.org/xml-feeds/
Both, announce mailinglist and security newsfeed are updated when there's a new security advisory. But in case of mail server problems on your side you may want have a backup in place - the security news feed.
