TYPO3 Extension Calendar Base (cal) and fal_sftp vulnerable to Denial of Service
To represent events in TYPO3 there are a few extensions that are up to the task. One of them is the extension cal for which a security update is available since today.
The attack is possible because input is forwarded to PHP's PCRE library without being checked. Depending on the input, this can lead to a large load on system resources.
cal
The extension "cal" is vulnerable to Denial of Service. Security risk: Medium Concerns: all versions of 0.x.x, 1.0.x, 1.1.x, 1.2.x, 1.3.x, 1.4.x; 1.5.8 and below 1.5.x; 1.6.0 Solution: Update to version 1.5.9 (for TYPO3 CMS 4.5.5 - 6.0.99) and 1.6.1 (for TYPO3 CMS 6.1.0 - 6.2.99)
Download for TYPO3 CMS 6.1.0 - 6.2.99
Download for TYPO3 CMS 4.5.5 - 6.0.99
With version 6.2 the FAL (File Abstraction Layer) was introduced in the TYPO3 core, which should be able to manage multiple storage locations (imaginable as different hard disks). The connection of other servers over the PHP Extension ssh2 implemented protocols FAL SFTP take place. For this there was a security notice today:
fal_sftp
The extension "fal_sftp" is vulnerable to Denial of Service. Security risk: Medium Concerns: all versions of 0.2.4 and 0.2.5 Solution: Update to version 0.2.6
to the security bulletin (english)
Download the latest version for TYPO3 CMS
UPDATE: Today another security update for Dynamic Content Elements (dce) was released.
dce
The extension "dce" is vulnerable to data protection.
Security risk: Low
Concerns: all versions of 0.7.x, 0.8.x, 0.9.x, 0.10.x, 0.11.4 and before 0.11.x
Solution: Update to version 0.11.5
