TYPO3 10.4.2 and 9.5.17 security releases published

discobot · May 12, 2020, 10:57am

Tue. 12th May, 2020

The versions 10.4.2 and 9.5.17 of the TYPO3 Enterprise Content Management System have just been released.

This is a companion discussion topic for the original entry at https://typo3.org/article/typo3-1042-and-9517-security-releases-published

jousch · May 12, 2020, 11:44am

Thank you @ohader for your time on fixing and investigating all that security topics!

ohader · May 15, 2020, 10:44am

Unfortunately recent releases introduced some regressions and side-effects which are collected and tracked at https://forge.typo3.org/versions/3581

bug fix for TYPO3-CORE-SA-2020-004 causes side-effects on extension- or user-land code interacting with caches in Extbase, showing deserialization errors for ReflectionService
- suggested bug fix at https://review.typo3.org/c/Packages/TYPO3.CMS/+/64494
bug fix for TYPO3-CORE-SA-2020-005 causes side-effects for sites that were upgraded from versions before TYPO3 v8 and were upgrade before TYPO3 v9.5.11, e.g. causing problems in the page-tree
- $BE_USER->uc probably can contain class references to stdClass which need to be converted
- TYPO3 v9.5.11 add a corresponding Update backend user configuration array upgrade wizard
- to be found at Admin Tools > Upgrade > Upgrade Wizard > Update backend user configuration array
bug fix for TYPO3-CORE-SA-2020-006 introduced a strict referrer check, blocking cross-site requests and thus also blocking single-sign-on (SSO) implementations
- suggested bug fix at https://review.typo3.org/c/Packages/TYPO3.CMS/+/64492

Once these issues are sorted out and confirmed by the community to resolve current drawbacks, new releases for TYPO3 v9 and v10 will be packaged within a couple of days.