Bug 10596

Summary: wordpress new security issues fixed upstream in 3.5.2
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, fundawang, mageia, oe, sysadmin-bugs, wilcal.int
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
Whiteboard: MGA2TOO MGA3-64-OK MGA3-32-OK MGA2-64-OK MGA2-32-OK
Source RPM: wordpress-3.5.1-2.mga3.src.rpm CVE:
Status comment:

Description David Walser 2013-06-23 05:06:24 CEST 
Upstream has released a new version fixing several security issues on June 21:
http://wordpress.org/news/2013/06/wordpress-3-5-2/

Reproducible: 

Steps to Reproduce:
David Walser 2013-06-23 05:06:36 CEST

Whiteboard: (none) => MGA3TOO, MGA2TOO

Comment 1 David Walser 2013-06-23 16:13:12 CEST 
Update packages uploaded for Mageia 2, Mageia 3, and Cauldron by Funda.

Advisory to come.

CC: (none) => fundawang, mageia
Version: Cauldron => 3
Assignee: mageia => qa-bugs
Whiteboard: MGA3TOO, MGA2TOO => MGA2TOO

Comment 2 David Walser 2013-06-23 16:14:53 CEST 
Packages built:
wordpress-3.5.2-1.mga2
wordpress-3.5.2-1.mga3

from SRPMS:
wordpress-3.5.2-1.mga2.src.rpm
wordpress-3.5.2-1.mga3.src.rpm
Comment 3 William Kenney 2013-06-27 06:03:01 CEST 
How bout a quick and easy tutorial on how to launch and use
wordpress locally. I've installed apache and launched that
with a local website and installed M2-x86_64 wordpress 3.5.1-5.
What's next just to make sure it's running? I don't wanna be a
wordpress expert.

Thanks

CC: (none) => wilcal.int

Comment 4 Damien Lallement 2013-06-27 12:39:16 CEST 
(In reply to William Kenney from comment #3)
> How bout a quick and easy tutorial on how to launch and use
> wordpress locally. I've installed apache and launched that
> with a local website and installed M2-x86_64 wordpress 3.5.1-5.
> What's next just to make sure it's running? I don't wanna be a
> wordpress expert.
> 
> Thanks

You just need to follow the README provided by README.install.urpmi after installation.
Comment 5 Oden Eriksson 2013-06-27 17:14:48 CEST 
For reference:

http://codex.wordpress.org/Version_3.5.1

Server-side request forgery (SSRF) and remote port scanning via pingbacks. Fixed by the WordPress security team. CVE-2013-0235.

Cross-site scripting (XSS) via shortcodes and post content. Discovered by Jon Cave of the WordPress security team. CVE-2013-0236.

Cross-site scripting (XSS) in the external library Plupload. Plupload 1.5.5 was released to address this issue. CVE-2013-0237.

http://codex.wordpress.org/Version_3.5.2

* Server-Side Request Forgery (SSRF) via the HTTP API. CVE-2013-2199.
* Privilege Escalation: Contributors can publish posts, and users can reassign authorship. CVE-2013-2200.
* Cross-Site Scripting (XSS) in SWFUpload. CVE-2013-2205.
* Denial of Service (DoS) via Post Password Cookies. CVE-2013-2173.
* Content Spoofing via Flash Applet in TinyMCE Media Plugin. CVE-2013-2204.
* Cross-Site Scripting (XSS) when Uploading Media. CVE-2013-2201.
* Full Path Disclosure (FPD) during File Upload. CVE-2013-2203.

* Cross-Site Scripting (XSS) (Low Severity) when Editing Media. CVE-2013-2201.
* Cross-Site Scripting (XSS) (Low Severity) when Installing/Updating Plugins/Themes. CVE-2013-2201.
* XML External Entity Injection (XXE) via oEmbed. CVE-2013-2202.

CC: (none) => oe

Comment 6 Oden Eriksson 2013-06-27 17:17:06 CEST 
https://bugzilla.redhat.com/show_bug.cgi?id=976784

" Jan Lieskovsky 2013-06-21 08:54:50 EDT

On Friday, 2013-06-21 WordPress upstream is about to release new WordPress v3.5.2 version,
correcting the following security flaws:

* CVE-2013-2199 - SSRF, multiple vulnerabilities:

  Inadequate SSRF protection for HTTP requests where the user can provide a URL
  can allow for attacks against the intranet and other sites. This is a
  continuation of work related to CVE-2013-0235, which was specific to SSRF in
  pingback requests and was fixed in 3.5.1.

* CVE-2013-2200 - Privilege escalation allowing contributors to publish posts:

  Inadequate checking of a user's capabilities could allow them to publish posts
  when their user role should not allow for it; and to assign posts to other
  authors.

* CVE-2013-2201 - XSS, multiple vulnerabilities:

  Inadequate escaping allowed an administrator to trigger a cross-site scripting
  vulnerability through the uploading of media files and plugins.

* CVE-2013-2202 - XXE via oEmbed:

  The processing of an oEmbed response is vulnerable to an XXE.

* CVE-2013-2203 - Full Path Disclosure during File Upload:

  If the uploads directory is not writable, error message data returned via XHR
  will include a full path to the directory.

And two security flaws in external products:

* CVE-2013-2204 - Content Spoofing in the MoxieCode (TinyMCE) MoxiePlayer project:
  Upstream patch: https://github.com/moxiecode/moxieplayer/commit/b61ac518ffa2657e2dc9019b2

* CVE-2013-2205 - Cross-domain XSS in SWFUpload (again):
  Fix: Removing security.allowDomain("*") and only allow access from the same domain."
Comment 7 David Walser 2013-06-27 17:39:33 CEST 
Thanks Oden!

Advisory:
========================

Updated wordpress package fixes security vulnerabilities:

A denial of service flaw was found in the way Wordpress, a blog tool and
publishing platform, performed hash computation when checking password for
password protected blog posts. A remote attacker could provide a specially-
crafted input that, when processed by the password checking mechanism of
Wordpress would lead to excessive CPU consumption (CVE-2013-2173).

Inadequate SSRF protection for HTTP requests where the user can provide a
URL can allow for attacks against the intranet and other sites. This is a
continuation of work related to CVE-2013-0235, which was specific to SSRF
in pingback requests and was fixed in 3.5.1 (CVE-2013-2199).

Inadequate checking of a user's capabilities could allow them to publish
posts when their user role should not allow for it; and to assign posts to
other authors (CVE-2013-2200).

Inadequate escaping allowed an administrator to trigger a cross-site
scripting vulnerability through the uploading of media files and plugins
(CVE-2013-2201).

The processing of an oEmbed response is vulnerable to an XXE
(CVE-2013-2202).

If the uploads directory is not writable, error message data returned via
XHR will include a full path to the directory (CVE-2013-2203).

Content Spoofing in the MoxieCode (TinyMCE) MoxiePlayer project
(CVE-2013-2204).

Cross-domain XSS in SWFUpload (CVE-2013-2205).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2173
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2199
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2200
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2201
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2202
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2203
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2204
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2205
http://codex.wordpress.org/Version_3.5.2
http://wordpress.org/news/2013/06/wordpress-3-5-2/
https://bugzilla.redhat.com/show_bug.cgi?id=973254
https://bugzilla.redhat.com/show_bug.cgi?id=976784
========================

Updated packages in core/updates_testing:
========================
wordpress-3.5.2-1.mga2
wordpress-3.5.2-1.mga3

from SRPMS:
wordpress-3.5.2-1.mga2.src.rpm
wordpress-3.5.2-1.mga3.src.rpm
Comment 8 Dave Hodgins 2013-07-01 03:36:09 CEST 
Testing complete on Mageia 1 and 2, i586 and x86_64.

http://svnweb.mageia.org/advisories/10596.adv?view=markup&sortby=date
uploaded.

Could someone from the sysadmin team push 10596.adv

Keywords: (none) => validated_update
Whiteboard: MGA2TOO => MGA2TOO MGA3-64-OK MGA3-32-OK MGA2-64-OK MGA2-32-OK
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 9 Nicolas Vigier 2013-07-01 21:25:34 CEST 
http://advisories.mageia.org/MGASA-2013-0198.html

Status: NEW => RESOLVED
CC: (none) => boklm
Resolution: (none) => FIXED

Nicolas Vigier 2014-05-08 18:04:17 CEST

CC: boklm => (none)