On tuesday, February 23rd, the TYPO3 development team released the maintenance and security updates of TYPO3 for the versions 6.2 and 7.6. Four security patches and many bugfixes were included. Read on for details …
Fixed Security Vulnerabilities
Security bulletins were published for the following issues:
XML External Entity (XXE) Processing in TYPO3 Core
TYPO3 versions: 6.2.0 to 6.2.18 and 7.6.0 to 7.6.3
Severity: low
Link to security bulletin: https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-005/
Cross-Site Scripting in TYPO3 component Backend
TYPO3 versions: 6.2.0 to 6.2.18
Severity: low
Link to security bulletin: https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-006/
Cross-Site Scripting in TYPO3 component CSS styled content
TYPO3 versions: 6.2.0 to 6.2.18 and 7.6.0 to 7.6.3
Severity: Medium
Link to security bulletin: https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-007/
Denial of Service attack possibility in TYPO3 component Indexed Search
TYPO3 versions: 6.2.0 to 6.2.18 and 7.6.0 to 7.6.3
Severity: High
Link to security bulletin: https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-008/
All issues are solved by installing the recent versions and do not need any additional action. If you are looking the changed lines of code, which were changed, habe a look at the TYPO3 review system. The patches are tagged with “security”.
You are strongly advised to install the new versions. You can download the packages from TYPO3.org.
If you participate in the TYPO3 4.5 ELTS program, you have already received a notice about the updates.
Bugfixes
Besides the four security issues many bugfixes hit the TYPO3 core.
Version 6.2.18 received two bugfixes. The most current LTS version, version 7, received 21 enhancements and bugfixes since the last release one week before.
Thanks to the TYPO3 Core and Security Team for these releases.