about
blog
tutorials
Removal advices in TYPO3 Security Bulletins
Posted on June 19, 2009 by .
Your requests for vulnerability details
In a recent TYPO3 Security Advisory/Bulletin, the TYPO3 Security team advised to uninstall and delete a vulnerable extension.
This generally only happens when we didn't manage to get in contact with the extension owner. After we've published this bulletin, we were contacted by individuals and web agencies who expressed their wish to fix the vulnerability - mainly because they were using the extension in question.
Whenever the TYPO3 Security Team finds a vulnerability in an extension and is unable to reach the registered extension owner (doesn't reply to our mails, mail address no longer valid), the TYPO3 Security Team advices to uninstall and remove the extension.
We of course are aware of the fact that this extension might be deployed on a lot of TYPO3 systems out. This procedure is not about annoying you at all.
Being unable to contact the extension owner means that the extension is no longer maintained.
No matter how easy it is to fix the vulnerability and that we might patch the extension by ourselves, we'll again face the same situation whenever a further vulnerability in the extension is reported.
The TYPO3 Security Team does not maintain extensions.
It also happened in the past that the extension owner contacted us and was willing to maintain the extension some time after we published the bulletin.
In case we still aren't contacted by the extension owner, we cannot simply
- disclose vulnerability details to other users/agencies that use the extension and are willing to maintain it
- transfer the extension key to other users/agencies that are willing to maintain the extension
Reasons:
(ad 1) We obviously don't want exploits in the wild and might not be able to put trust in you who has contacted us by email.
(ad 2) The extension owner "owns" the extension. We cannot simply remove the ownership. You might want to contact the TYPO3 Association and ask them to transfer the key to you. Transferrals of keys is not a TYPO3 Security Team task.
Thank you for your understanding.
- 5 Comment(s)
Transfer of extension keys
Hi,
the transfer of an extension key is only possible if the current owner agrees on this.
Peter
Re: Transfer of extension keys
@Peter: not quite. There is a rule - although I never manage to find it when I look for it - which says that if three subsequent requests to transfer an extension remain without answers, the key can be transfered forcefully.
Re: Transfer of extension keys
@Francois: Can you try searching again? This would indeed be interesting for us to integrate in the TYPO3 Extension Security Policy and use in daily work, so that others could overtake maintainership.
Extension key transfer policy
Lars, I found the following:
http://forge.typo3.org/wiki/extension-ect/Extensionkey_transfer
but I find it too strict. I think the 6 months period is too long, and the discussion in the ECT list is not good, especially since that list if not really active anymore. I think this policy should be reviewed in a much more widely used (i.e. dev list).
Re: Extension key transfer policy
Great!
I will bring this to the dev list and the ECT list and hopefully we can bring it down and have it more out-spread. At least for extensions in the TER that has security problems, the period should be much shorter.