Ubuntu

typo3 (security) updates

Asked by ak

This is the context of my question:
* I'm happily using Ubuntu for quite a while now (mainly 8.04 LTS)
* and I'm using typo3 from time to time.
* Today I discovered, that typo3 is just an "apt-get install typo3" away from the new server I'm just installing.
* I searched FAQ, wiki, launchpad and ubuntuforums with few findings at all. So I'm not sure wether using typo3 from ubuntu sources is adequate.

And this is my question in three flavours:
1.) Is typo3 just there - just because someone kindly added it for convenience and it works somehow - or is it actively maintained?
2.) In other words: what is to be expected? When there will be a security fix for typo3 on typo3.org, will there be an update on the ubuntu version soon (just as for linux kernel fixes, e.g.)?
3.) How will I be more safe in regard to typo3 security - doing security updates myself or using apt-get update?

Thank you for any help or clarification.

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu Edit question
Assignee:
No assignee Edit question
Solved by:
ak
Solved:
Last query:
Last reply:
Revision history for this message
juancarlospaco (juancarlospaco) said : 		#1

Main and Universe are maintained by MOTU and Canonical.
others are maintained by Community and Third part.

usually uses, apt-get update, apt-get upgrade,
for other security problems read the Ubuntu Security News :

http://www.ubuntu.com/usn/

Linux is actually the most secure platform.

Revision history for this message
Tom (tom6) said : 		#2

I'm guessing you're a recent convert from Windows? Security in linux is built up right from the ground level rather than being placed on top as an optional after-thought, as such it is much more stable and secure. Packages in the repositories do occasionally get updated but this is usually to increase functionality rather than to patch less well written code.

Also in linux coders/programmers/developers are generally well respected whether they are part of the establishment or not. There's more kudos in writing a nifty program or adding to the functionality or security of a big project than in hacking something. If Windows hackers were shown linux then virus creation would drop away drastically. It's more fun and more skilful to make something crazy and get praise for it :)

I found the webpage for typo3 but haven't visited it yet.
http://www.typo3.com

If you do have issues with the program then feel free to ask questions in here or through google - or submit bug-reports so that developers can consider adding in the functionality you request.

Good luck and regards from
Tom :)

Revision history for this message
Tom (tom6) said : 		#3

lol yes from Juan's link you can see that security issues were discovered ahead of time rather than after a problem had been exploited. Also seems that issues had been resolved during the normal update cycles as part of something else rather than being a required update in order to solve an emergency :)

Revision history for this message
ak (ubuntu-launchpad-insecteam) said : 		#4

Thanks folks for your answers.

¡Gracias juancarlospaco (concluyo que ables Español de tu nombre)!
Your link (I hadn'd found that page yet) helped me to be sure that by this time security updates for typo3 are not to be expected in a timely manner (no bug filed yet, although a critical security issue has been announced on January 20, 2009).

I've just filed a bug report, I'm not yet sure wether this was necessary or helpful.

"I'm guessing you're a recent convert from Windows."
No, Tom, I'm not. I'm using Linux since 1992 or 1993 (I don't remember for sure), when my boss asked me to remove Linux from my PC-"Workstation" and replace it with Windows. A few months later (I had not removed Linux) I read an "important" tape, which could not be read neither using Window nor using HP-UX, which he used on his UNIX Workstation. "How have you done that?" "Liniux!" He never bothered me again to remove Linux :-) And since 04/2001 I've not been asked to use anything else than Linux as my "Workstation's" (a notebook) OS.

"Security in linux is built up right from the ground level rather than being placed on top as an optional after-thought, as such it is much more stable and secure."
Well, I don't share this point of view of yours completely, but yes - I personally come across less security issues on linux than others do on Windows.
But if it's about real security (or as juancarlospaco might express it: security security security) and it's me to choose the OS, then I use OpenBSD .

"If you do have issues with the program then feel free to ask questions in here ..."
Thank you, again. I'll do that in the future, I'm sure.

Thanks again for your help, folkes. Have a good time.

Revision history for this message
Tom (tom6) said : 		#5

Sorry if i caused offence. We do get a lot of noobs in here which is great to see. A lot of people moving from Windows towards Ubuntu and linux generally. It's good to hear that your boss used a unix workstation and eventually accepted you using a *nix platform too, perhaps a story worth sending to Bug #1. A lot of us answering questions in here are noobs too and it would be great if another person of your long experience also joined in. I think it's good when someone gets advice from 2 or 3 different perspectives, allowing them to choose one that they can work with.

Thanks again
Good luck and regards from
Tom :)

Revision history for this message
ak (ubuntu-launchpad-insecteam) said : 		#6

Hi Tom,

I didn't feel offended, thanks for your answer. I'm just not experienced with any Ubuntu Community systems, because there never has been an issue before. I just installed Ubuntu, and it worked great. Security updates came in when needed, so I became a little bit inattentive about "the usual bugs", becaus they got corrected on a mouseclick.

I didn't really expect typo3 to be supported by Ubuntu, but I checked anyway "apt-cache search typo3" and voila, it was there. Because I'm going to use typo3 on three servers atleast, I wanted to be sure about security updates. Hence my question here, because I wasn's sure at all.

About new users: I'm very happy about Ubuntu - it's the first Linux I can give to an unexperienced Windows user and tell him to simply hit ENTER a few times, it will work (provided he doesn't want to preserve anything on his computer).

Well, maybe I can be helpful one day - today I learned that launchpad exists.

Best wishes, Andreas

Revision history for this message
ak (ubuntu-launchpad-insecteam) said : 		#7

Hi Tom,

I didn't feel offended, thanks for your answer. I'm just not experienced with any Ubuntu Community systems, because there never has been an issue before. I just installed Ubuntu, and it worked great. Security updates came in when needed, so I became a little bit inattentive about "the usual bugs", becaus they got corrected on a mouseclick.

I didn't really expect typo3 to be supported by Ubuntu, but I checked anyway "apt-cache search typo3" and voila, it was there. Because I'm going to use typo3 on three servers atleast, I wanted to be sure about security updates. Hence my question here, because I wasn's sure at all.

About new users: I'm very happy about Ubuntu - it's the first Linux I can give to an unexperienced Windows user and tell him to simply hit ENTER a few times, it will work (provided he doesn't want to preserve anything on his computer).

Well, maybe I can be helpful one day - today I learned that launchpad exists.

Best wishes, Andreas

P.S.: Bug #1 is great ;-)

Revision history for this message
Tom (tom6) said : 		#8

Wow that's definitely worth posting in Bug #1! :)
Thanks and nicely done
Regards from
Tom :)