| Summary: | wordpress new XML-RPC DoS issue fixed upstream in 3.9.2 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | rverschelde, sysadmin-bugs, wrw105 |
| Version: | 4 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/608414/ | ||
| Whiteboard: | MGA3TOO mga4-64-ok mga4-32-ok mga3-32-ok advisory | ||
| Source RPM: | wordpress-3.9.1-1.mga5.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2014-08-07 20:32:28 CEST
David Walser
2014-08-07 20:32:34 CEST
Whiteboard:
(none) =>
MGA4TOO, MGA3TOO Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron. As with Drupal, waiting on the CVE assignment for the advisory. Updated packages in core/updates_testing: ======================== wordpress-3.9.2-1.mga3 wordpress-3.9.2-1.mga4 from SRPMS: wordpress-3.9.2-1.mga3.src.rpm wordpress-3.9.2-1.mga4.src.rpm Version:
Cauldron =>
4 Tested mga4-64. Database updates, no updates shown from dashboard. Posted a page, a comment from front page which display normally. CC:
(none) =>
wrw105 Tested mga4-32 Clean install, no updates shown from dashboard. Posted a page, a comment and a blog post which display as they should. Whiteboard:
MGA3TOO mga4-64-ok =>
MGA3TOO mga4-64-ok mga4-32-ok tested mga3-32 Clean install, no updates shown from dashboard. Posted a page, a post and a comment, which display as they should. URPMI is giving me problems on my mga3-64 setup, so if someone else can test that before I get the time to figure out what's wrong would be appreciated!
Bill Wilkinson
2014-08-10 17:47:59 CEST
Whiteboard:
MGA3TOO mga4-64-ok mga4-32-ok =>
MGA3TOO mga4-64-ok mga4-32-ok mga3-32-ok As we decided during the last QA meeting, three successful tests on two releases is enough, we can validate this one as is. I'll upload the advisory in the evening. Keywords:
(none) =>
validated_update Still no response to the CVE request, so this is all I have for right now. Advisory: ======================== Updated wordpress packages fix security vulnerabilities: Multiple vulnerabilities in WordPress before 3.9.2, including denial of service and information disclosure issues related to XML entity expansion. The wordpress package has been updated to version 3.9.2 to fix these issues. See the release announcement for more details. References: https://wordpress.org/news/2014/08/wordpress-3-9-2/ Debian has issued an advisory for this on August 9: https://www.debian.org/security/2014/dsa-3001
David Walser
2014-08-11 17:13:31 CEST
URL:
(none) =>
http://lwn.net/Vulnerabilities/608414/ Advisory uploaded. Whiteboard:
MGA3TOO mga4-64-ok mga4-32-ok mga3-32-ok =>
MGA3TOO mga4-64-ok mga4-32-ok mga3-32-ok advisory An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0328.html Status:
NEW =>
RESOLVED MITRE finally woke up and assigned some CVEs: http://openwall.com/lists/oss-security/2014/08/13/3 CVE-2014-5203, CVE-2014-5204, CVE-2014-5205. However, these CVEs just cover the other minor issues fixed in this update, not the issues related to XML entity expansion. CVE-2014-5240 was also assigned: http://openwall.com/lists/oss-security/2014/08/14/2 Still doesn't address the XML entity expansion issues though. MITRE finally assigned some CVEs (CVE-2014-526[56]): http://openwall.com/lists/oss-security/2014/08/16/4 LWN reference: http://lwn.net/Vulnerabilities/609181/ Note that CVE-2014-5267 only applies to Drupal. LWN reference for the other CVEs I had mentioned previously: http://lwn.net/Vulnerabilities/609184/ |