Translations
Info
All page names need to be in English.
en da  de  fr  it  ja  km  nl  ru  zh

Security Bulletin file format

From TYPO3Wiki
Jump to: navigation, search

notice - Draft

Change the {{draft}} marker to {{review}} when you need a reviewer for text and TypoScript. info

This is proposal of Security Bulletin file format that can be used be extensions to automatically inform (for example by email) about security issue found in TYPO3 installation.

Read more at: http://support.typo3.org/general/english/m/typo3-a-thought-about-security-announcements-and-automatic-security-alert-345577/p/1170/

EXAMPLES

EXAMPLE DATA:

PHP script:
<security-bugs>

  <security-bug>
     <type>extension</type>
     <extkey>sg_zfelib</extkey>
     <bulletin>TYPO3-20080527-2</bulletin>
     <affected-versions>
         <version-range>
             <start>1.1.0</start>
             <end>1.1.512</end>
         </version-range>
         <version-range>
             <start>2.0.0</start>
             <end>2.2.982</end>
         </version-range>
         <version>3.0.1</version>
         <version>3.0.2</version>
     </affected-versions>
  </security-bug>

  <security-bug>
     <type>core</type>
     <bulletin>TYPO3-20080527-2</bulletin>
     <affected-versions>
         <version-range>
             <start>0.0.0</start>
             <end>3.8.0</end>
         </version-range>
         <version>4.0RC1</version>
     </affected-versions>
   </security-bug>

</security-bugs>


REAL EXAMPLE 3 latest extensions and 3 latest core security bugs:

PHP script:
<security-bugs>

  <security-bug>
     <type>extension</type>
     <extkey>sg_zfelib</extkey>
     <bulletin>TYPO3-20080527-2</bulletin>
     <affected-versions>
         <version-range>
             <start>0</start>
             <end>1.1.512</end>
         </version-range>
     </affected-versions>
  </security-bug>

  <security-bug>
     <type>extension</type>
     <extkey>kj_imagelightbox2</extkey>
     <bulletin>TYPO3-20080527-1</bulletin>
     <affected-versions>
         <version-range>
             <start>0</start>
             <end>1.4.2</end>
         </version-range>
     </affected-versions>
  </security-bug>

  <security-bug>
     <type>extension</type>
     <extkey>air_filemanager</extkey>
     <bulletin>TYPO3-20080515-2</bulletin>
     <affected-versions>
         <version-range>
             <start>0</start>
             <end>0.6.0</end>
         </version-range>
     </affected-versions>
  </security-bug>

  <security-bug>
     <type>core</type>
     <bulletin>TYPO3-20071210-1</bulletin>
     <affected-versions>
         <version-range>
             <start>3.0.0</start>
             <end>3.8.0</end>
             <start>4.0.0</start>
             <end>4.0.7</end>
             <start>4.1.0</start>
             <end>4.1.3</end>
         </version-range>
     </affected-versions>
  </security-bug>

  <security-bug>
     <type>core</type>
     <bulletin>TYPO3-20070221-1</bulletin>
     <affected-versions>
         <version-range>
             <start>3.0.0</start>
             <end>3.8.1</end>
             <start>4.0.0</start>
             <end>4.0.5</end>
         </version-range>
         <version>4.1beta</version> 
         <version>4.1RC1</version>
     </affected-versions>
  </security-bug>

  <security-bug>
     <type>core</type>
     <bulletin>TYPO3-20061220-1</bulletin>
     <affected-versions>
         <version-range>
             <start>4.0.0</start>
             <end>4.0.3</end>
         </version-range>
         <version>4.1beta</version> 
     </affected-versions>
   </security-bug>

</security-bugs>


PROBLEMS

1. Some Security Bulletins have phrase "All version affected" without any other informaion about numbers. This can not be put into XML as all future version of extension will be also set as "security bug" affected. See: https://typo3.org/teams/security/security-bulletins/typo3-20080416-2/

2. Some Security Bulletins have phrase "TYPO3 versions 3.x". I think we should be more precise here and write:

            <start>3.0.0</start>
            <end>3.8.1</end>

(3.8.1 was last before 4.0).