Security update for 4.5 LTS, 4.7, 6.1 and 6.2 LTS because of OpenID and Swiftmailer library
Updates are available for the currently supported TYPO3 CMS versions. These fix security-related factors as well as bugs. Provided were the versions 4.5.37 LTS, 4.7.20, 6.1.12 and 6.2.6 LTS.
OpenID
System Extension The OpenID subcomponent allows attackers to read files, send HTTP calls to intranet servers, or perform a denial of service (CPU and memory) attack.
The vulnerable versions must be protected by the provided update. Alternatively, the OpenID System Extension can be disabled, but this does not seem to be sufficient.
Swiftmailer library Extension
The Swiftmailer library subcomponent can be used for attacks that allow shell commands via the "From" header. Affected TYPO3 installations were configured as follows:
$GLOBALS['TYPO3_CONF_VARS']['MAIL']['transport']
Installations with the default configuration are not affected. By updating the versions from the TER or the corresponding GIT repositories, TYPO3 becomes secure again.
Further information:
