Release Date: October 17, 2014
Bulletin Update: October 18, 2014 (added CVE)
Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
Affected Versions: all versions of 0.x.x, 1.0.x, 1.1.x, 1.2.x, 1.3.x, 1.4.x; 1.5.8 and below of 1.5.x; 1.6.0
Vulnerability Type: Denial of Service
Severity: Medium
Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C
CVE: CVE-2014-8325
Problem Description: User input is passed to PHP's PCRE library without validating it beforehand. Depending on user input this may consume a tremendous amount of system resources.
Solution: Updated versions 1.5.9 (for TYPO3 CMS 4.5.5 - 6.0.99) and 1.6.1 (for TYPO3 CMS 6.1.0 - 6.2.99) are available from the TYPO3 extension manager and at http://typo3.org/extensions/repository/download/cal/1.6.1/t3x/ and http://typo3.org/extensions/repository/download/cal/1.5.9/t3x/. Users of the extension are advised to update the extension as soon as possible.
Credits: Credits go to Daniel Hahler and Bernd Schuhmacher who discovered and reported the issue.
General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.