Component Type: Core
Affected Components: Install Tool "encryptionKey" Generation
Versions: TYPO3 3.8.0 and earlier
Vulnerability Type: Key Length
For convenience, the TYPO3 Install Tool provides a button sets the "encryptionKey" to a random value. It has been observed that only parts of the generated value are actually random. The overall key is therefore unique and -as of today- considered sufficiently secure. However, the effective key length is not the intended one.
The solution is part of the general maintenance upgrade to TYPO3 version 3.8.1, which all users of TYPO3 are advised to implement. It contains a fix for the affected routine.
Thanks to Jochen Weiland for notifying us.