TYPO3 10.4.2 and 9.5.17 security releases published

Tue. 12th May, 2020

The versions 10.4.2 and 9.5.17 of the TYPO3 Enterprise Content Management System have just been released.

This is a companion discussion topic for the original entry at https://typo3.org/article/typo3-1042-and-9517-security-releases-published

Thank you @ohader for your time on fixing and investigating all that security topics! :love_you_gesture:

1 Like

Unfortunately recent releases introduced some regressions and side-effects which are collected and tracked at https://forge.typo3.org/versions/3581

  • bug fix for TYPO3-CORE-SA-2020-004 causes side-effects on extension- or user-land code interacting with caches in Extbase, showing deserialization errors for ReflectionService
  • bug fix for TYPO3-CORE-SA-2020-005 causes side-effects for sites that were upgraded from versions before TYPO3 v8 and were upgrade before TYPO3 v9.5.11, e.g. causing problems in the page-tree
    • $BE_USER->uc probably can contain class references to stdClass which need to be converted
    • TYPO3 v9.5.11 add a corresponding Update backend user configuration array upgrade wizard
    • to be found at Admin Tools > Upgrade > Upgrade Wizard > Update backend user configuration array
  • bug fix for TYPO3-CORE-SA-2020-006 introduced a strict referrer check, blocking cross-site requests and thus also blocking single-sign-on (SSO) implementations

Once these issues are sorted out and confirmed by the community to resolve current drawbacks, new releases for TYPO3 v9 and v10 will be packaged within a couple of days.