The TYPO3 Association has published new security releases for all four major versions (8,9,10,11).
The updates fix several vulnerabilities:
Denial of Service (DoS)
Allows targeted and frequent web page requests to cripple the web server. For example, a gap in cache behavior can cause the web server's cache memory to grow larger and larger, eventually causing the server's disk space to overflow.
Such a security gap exists when it is possible for unauthorized persons to obtain protected data. This can be personal data in the sense of the DSGVO or technical data (TYPO3, database, PHP versions or accesses, etc.), which can then be used to attack the system.
Cross Site Scripting
Recommendation for action
The severity - i.e. the level of risk - is classified as medium.
We recommend a timely security update.
One of the most important measures for operating a secure TYPO3 installation is to use a secure TYPO3 version. The TYPO3 Association has developed a binding release policy, which we briefly present below.
TYPO3 Release A TYPO3 release always consists of three numbers separated by a dot:
Long Term Support(LTS) For each main version there is always a Long Term Support(LTS) version. It has the highest minor version. In the case of TYPO3 v11 it is 11.5. So there will never be a version 11.6. The lower minor versions(11.0. - 11.5.) are called sprint releases and are not suitable for productive use. LTS versions are provided 1.5 years with maintenance and security updates, which is noticeable in the third place (11.5.0 - 11.5.xx). Another 1.5 years with security updates only.
Extended Long Term Support(ELTS) The Extended Long Term Support(ELTS) is a paid support offered by the TYPO3 GmbH for TYPO3 versions, which fall out of the LTS (after 3 years). Usually one ELTS is offered for two main versions. So if both versions v11 and v10 are in the LTS, ELTS is offered for v9 and v8. Security updates continue to be delivered as part of this service.
The TYPO3 Association regularly updates their TYPO3 development work using a raodmap at: