Bug 15786

Summary: wordpress new security issue fixed upstream in 3.9.6 (CVE-2015-3440)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: sysadmin-bugs, wrw105
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/653500/
Whiteboard: has_procedure advisory mga4-64-ok
Source RPM: wordpress-3.9.4-1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-04-28 00:11:12 CEST 
Another security update for wordpress 4.x came out today, and presumably 3.9.6 will be available soon as well:
http://codex.wordpress.org/Version_3.9.6

There was also version 3.9.5, which fixed a regression introduced in 3.9.4:
http://codex.wordpress.org/Version_3.9.5

We'll need to update Mageia 4 and Mageia 5 again once the 3.9.6 tarball is out.

CVE request:
http://openwall.com/lists/oss-security/2015/04/27/4

A CVE has also been requested for the issue fixed in our previous update (see Bug 15745).

Reproducible: 

Steps to Reproduce:
David Walser 2015-04-28 00:11:24 CEST

Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 David Walser 2015-04-29 16:57:56 CEST 
CVE-2015-3440 was assigned (see the bottom of the post):
http://openwall.com/lists/oss-security/2015/04/28/7

Summary: wordpress new security issue fixed upstream in 3.9.6 => wordpress new security issue fixed upstream in 3.9.6 (CVE-2015-3440)

Comment 2 David Walser 2015-05-01 17:58:42 CEST 
I contacted upstream and they said they are still working on the 3.9.6 release.
Comment 3 David Walser 2015-05-04 23:48:48 CEST 
Dropped from Cauldron as it's unmaintained and was never updated to 4.x.

The 3.9.6 tarball is still not available :o(

Version: Cauldron => 4
Whiteboard: MGA5TOO, MGA4TOO => (none)

Comment 4 David Walser 2015-05-07 12:51:47 CEST 
Updated package uploaded for Mageia 4.

Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=14625#c4

Advisory:
========================

Updated wordpress packages fixes security vulnerabilities:

The wordpress package has been updated to version 3.9.6, which fixes multiple
cross-site scripting issues, including CVE-2015-3440, and other bugs.

Note that upstream has advised us that WordPress 3.9.x is no longer supported.
As this package is unmaintained, this may be the last update for this package.
Downloading the latest version from upstream and using that, as well as making
use of its aut-update capability, may be preferrable to using this package.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3440
http://codex.wordpress.org/Version_3.9.5
http://codex.wordpress.org/Version_3.9.6
========================

Updated packages in core/updates_testing:
========================
wordpress-3.9.6-1.mga4

from wordpress-3.9.6-1.mga4.src.rpm

Assignee: bugsquad => qa-bugs

Comment 5 Bill Wilkinson 2015-05-07 14:14:25 CEST 
Tested mga4-64.

Update requested database update, which completed without incident.

Added and edited a page, added and modified blog post, added and removed a user.  All OK.

CC: (none) => wrw105
Whiteboard: (none) => has_procedure mga4-64-ok

Comment 6 Bill Wilkinson 2015-05-07 15:16:35 CEST 
Just realized this is a noarch package, so...

Validating.  Ready for push when advisory uploaded to svn.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 7 claire robinson 2015-05-08 21:25:39 CEST 
Advisory uploaded.

Whiteboard: has_procedure mga4-64-ok => has_procedure advisory mga4-64-ok

Comment 8 Mageia Robot 2015-05-09 01:54:48 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0202.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 9 David Walser 2015-08-04 22:32:17 CEST 
Debian used CVE-2015-3429 for a cross-site scripting issue fixed in this update.  I don't know where they got that CVE from.
https://lists.debian.org/debian-security-announce/2015/msg00224.html

URL: (none) => http://lwn.net/Vulnerabilities/653500/