| Summary: | wordpress new security issues fixed in 3.6.1 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | davidwhodgins, mageia, oe, sysadmin-bugs, tmb |
| Version: | 3 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/566978/ | ||
| Whiteboard: | MGA2TOO MGA2-32-OK MGA2-64-OK MGA3-32-OK MGA3-64-OK | ||
| Source RPM: | wordpress-3.6-1.mga4.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2013-09-12 00:44:11 CEST
David Walser
2013-09-12 00:44:19 CEST
Whiteboard:
(none) =>
MGA3TOO, MGA2TOO ====================================================== Name: CVE-2013-4338 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4338 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130612 Category: Reference: CONFIRM:http://codex.wordpress.org/Version_3.6.1 Reference: CONFIRM:http://core.trac.wordpress.org/changeset/25325 Reference: CONFIRM:http://wordpress.org/news/2013/09/wordpress-3-6-1/ wp-includes/functions.php in WordPress before 3.6.1 does not properly determine whether data has been serialized, which allows remote attackers to execute arbitrary code by triggering erroneous PHP unserialize operations. ====================================================== Name: CVE-2013-4339 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4339 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130612 Category: Reference: CONFIRM:http://codex.wordpress.org/Version_3.6.1 Reference: CONFIRM:http://core.trac.wordpress.org/changeset/25323 Reference: CONFIRM:http://core.trac.wordpress.org/changeset/25324 Reference: CONFIRM:http://wordpress.org/news/2013/09/wordpress-3-6-1/ WordPress before 3.6.1 does not properly validate URLs before use in an HTTP redirect, which allows remote attackers to bypass intended redirection restrictions via a crafted string. ====================================================== Name: CVE-2013-4340 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4340 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130612 Category: Reference: CONFIRM:http://codex.wordpress.org/Version_3.6.1 Reference: CONFIRM:http://core.trac.wordpress.org/changeset/25321 Reference: CONFIRM:http://wordpress.org/news/2013/09/wordpress-3-6-1/ wp-admin/includes/post.php in WordPress before 3.6.1 allows remote authenticated users to spoof the authorship of a post by leveraging the Author role and providing a modified user_ID parameter. ====================================================== Name: CVE-2013-5738 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5738 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130911 Category: Reference: CONFIRM:http://codex.wordpress.org/Version_3.6.1 Reference: CONFIRM:http://core.trac.wordpress.org/changeset/25322 Reference: CONFIRM:http://wordpress.org/news/2013/09/wordpress-3-6-1/ The get_allowed_mime_types function in wp-includes/functions.php in WordPress before 3.6.1 does not require the unfiltered_html capability for uploads of .htm and .html files, which might make it easier for remote authenticated users to conduct cross-site scripting (XSS) attacks via a crafted file. ====================================================== Name: CVE-2013-5739 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5739 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130911 Category: Reference: CONFIRM:http://codex.wordpress.org/Version_3.6.1 Reference: CONFIRM:http://core.trac.wordpress.org/changeset/25322 Reference: CONFIRM:http://wordpress.org/news/2013/09/wordpress-3-6-1/ The default configuration of WordPress before 3.6.1 does not prevent uploads of .swf and .exe files, which might make it easier for remote authenticated users to conduct cross-site scripting (XSS) attacks via a crafted file, related to the get_allowed_mime_types function in wp-includes/functions.php. CC:
(none) =>
oe Strange, the last two weren't mentioned here: http://openwall.com/lists/oss-security/2013/09/12/1 Fixed in Cauldron in wordpress-3.6.1-1.mga4. Version:
Cauldron =>
3 Debian has issued an advisory for this on September 14: http://www.debian.org/security/2013/dsa-2757 URL:
(none) =>
http://lwn.net/Vulnerabilities/566978/ 3.6.1 has been submitted to 2 and 3 Advisory: ======================== Updated wordpress package fixes security vulnerabilities: wp-includes/functions.php in WordPress before 3.6.1 does not properly determine whether data has been serialized, which allows remote attackers to execute arbitrary code by triggering erroneous PHP unserialize operations (CVE-2013-4338). WordPress before 3.6.1 does not properly validate URLs before use in an HTTP redirect, which allows remote attackers to bypass intended redirection restrictions via a crafted string (CVE-2013-4339). wp-admin/includes/post.php in WordPress before 3.6.1 allows remote authenticated users to spoof the authorship of a post by leveraging the Author role and providing a modified user_ID parameter (CVE-2013-4340). The get_allowed_mime_types function in wp-includes/functions.php in WordPress before 3.6.1 does not require the unfiltered_html capability for uploads of .htm and .html files, which might make it easier for remote authenticated users to conduct cross-site scripting (XSS) attacks via a crafted file (CVE-2013-5738). The default configuration of WordPress before 3.6.1 does not prevent uploads of .swf and .exe files, which might make it easier for remote authenticated users to conduct cross-site scripting (XSS) attacks via a crafted file, related to the get_allowed_mime_types function in wp-includes/functions.php (CVE-2013-5739). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4338 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4339 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4340 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5738 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5739 http://wordpress.org/news/2013/09/wordpress-3-6-1/ http://www.debian.org/security/2013/dsa-2757 ======================== Updated packages in core/updates_testing: ======================== wordpress-3.6.1-1.mga2 wordpress-3.6.1-1.mga3 from SRPMS: wordpress-3.6.1-1.mga2.src.rpm wordpress-3.6.1-1.mga3.src.rpm CC:
(none) =>
mageia Advisory 11218.adv committed to svn. Testing shortly. CC:
(none) =>
davidwhodgins Install fails both releases, both arches. From urpmi --debug wordpress found package(s): wordpress-3.4.1-1.1.mga2.noarch wordpress-3.5.1-1.1.mga2.noarch wordpress-3.3.2-2.mga2.noarch wordpress-3.4.2-1.mga2.noarch wordpress-3.6.1-1.mga2.noarch wordpress-3.5.2-1.mga2.noarch opening rpmdb (root=, write=) chosen wordpress-3.6.1-1.mga2.noarch for wordpress|wordpress|wordpress|wordpress|wordpress|wordpress selecting wordpress-3.6.1-1.mga2.noarch requiring pear(ntlm_sasl_client.php),php-mysql for wordpress-3.6.1-1.mga2.noarch no packages match pear(ntlm_sasl_client.php) (it is either in skip.list or already rejected) unselecting wordpress-3.6.1-1.mga2.noarch adding a reason to already rejected package wordpress-3.6.1-1.mga2.noarch: unsatisfied pear(ntlm_sasl_client.php) A requested package cannot be installed: wordpress-3.6.1-1.mga2.noarch (due to unsatisfied pear(ntlm_sasl_client.php)) Whiteboard:
MGA2TOO =>
MGA2TOO feedback fixed with php-phpmailer-5.2.7-0.20130917.1.mga2 + php-phpmailer-5.2.7-0.20130917.1.mga3 (just submitted) Wordpress tested OK mga2 32 & 64 with new php-phpmailer but unsure yet how to test php-phpmailer Whiteboard:
MGA2TOO feedback =>
MGA2TOO Thanks Oden! The only other thing that requires php-phpmailer is galette, but if you can test wordpress features that cause it to send an e-mail, that'd probably be sufficient to test that. Adding an addendum to the advisory. Advisory: ======================== Updated wordpress package fixes security vulnerabilities: wp-includes/functions.php in WordPress before 3.6.1 does not properly determine whether data has been serialized, which allows remote attackers to execute arbitrary code by triggering erroneous PHP unserialize operations (CVE-2013-4338). WordPress before 3.6.1 does not properly validate URLs before use in an HTTP redirect, which allows remote attackers to bypass intended redirection restrictions via a crafted string (CVE-2013-4339). wp-admin/includes/post.php in WordPress before 3.6.1 allows remote authenticated users to spoof the authorship of a post by leveraging the Author role and providing a modified user_ID parameter (CVE-2013-4340). The get_allowed_mime_types function in wp-includes/functions.php in WordPress before 3.6.1 does not require the unfiltered_html capability for uploads of .htm and .html files, which might make it easier for remote authenticated users to conduct cross-site scripting (XSS) attacks via a crafted file (CVE-2013-5738). The default configuration of WordPress before 3.6.1 does not prevent uploads of .swf and .exe files, which might make it easier for remote authenticated users to conduct cross-site scripting (XSS) attacks via a crafted file, related to the get_allowed_mime_types function in wp-includes/functions.php (CVE-2013-5739). Additionally, php-phpmailer has been updated to a newer version required by the updated wordpress. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4338 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4339 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4340 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5738 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5739 http://wordpress.org/news/2013/09/wordpress-3-6-1/ http://www.debian.org/security/2013/dsa-2757 ======================== Updated packages in core/updates_testing: ======================== wordpress-3.6.1-1.mga2 php-phpmailer-5.2.7-0.20130917.1.mga2 wordpress-3.6.1-1.mga3 php-phpmailer-5.2.7-0.20130917.1.mga3 from SRPMS: wordpress-3.6.1-1.mga2.src.rpm php-phpmailer-5.2.7-0.20130917.1.mga2.src.rpm wordpress-3.6.1-1.mga3.src.rpm php-phpmailer-5.2.7-0.20130917.1.mga3.src.rpm Updated 11218.adv committed to svn. Testing shortly. Testing complete on Mageia 2 i586. Created a blog page as the admin user, created a new user, as the new user added a comment. Confirmed that the moderation email was sent to the admin user. Testing Mageia 2 x86_64 shortly. Whiteboard:
MGA2TOO =>
MGA2TOO MGA2-32-OK Testing complete on Mageia 2 x86_64. While testing, realized wordpress should have a requires on sendmail-command. Otherwise sending the email fails with /var/log/httpd/error_log showing sh: /usr/sbin/sendmail: No such file or directory I'll open a bug report about the missing requires, after I finish testing Mageia 3, which I'll do shortly. Whiteboard:
MGA2TOO MGA2-32-OK =>
MGA2TOO MGA2-32-OK MGA2-64-OK Testing complete on Mageia 3 i586 and x86_64. Someone from the sysadmin team please push 11218.adv to updates Keywords:
(none) =>
validated_update (In reply to Dave Hodgins from comment #14) > Testing complete on Mageia 2 x86_64. > > While testing, realized wordpress should have a requires on sendmail-command. > Otherwise sending the email fails with /var/log/httpd/error_log showing > sh: /usr/sbin/sendmail: No such file or directory > > I'll open a bug report about the missing requires, after I finish testing > Mageia 3, which I'll do shortly. Hmm, I wonder if it wouldn't be best to add a "Suggests: sendmail-command" for the lib(64)php5_common5 package? Update pushed: http://advisories.mageia.org/MGASA-2013-0285.html Status:
NEW =>
RESOLVED |