Bug 16457

CVE request:
http://openwall.com/lists/oss-security/2015/07/23/15

CVE assignments and more details:
http://openwall.com/lists/oss-security/2015/07/23/18

Advisory:
========================

Updated wordpress packages fixes security vulnerabilities:

WordPress versions 4.2.2 and earlier are affected by a cross-site scripting
vulnerability, which could allow users with the Contributor or Author role to
compromise a site (CVE-2015-5622).

WordPress versions 4.2.2 and earlier are affected by an issue where it was
possible for a user with Subscriber permissions to create a draft through
Quick Draft (CVE-2015-5623).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5622
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5623
http://codex.wordpress.org/Version_3.9.7
https://wordpress.org/news/2015/07/wordpress-4-2-3/
http://openwall.com/lists/oss-security/2015/07/23/18

Summary: wordpress new security issue fixed upstream in 3.9.7 => wordpress new security issues fixed upstream in 3.9.7 (CVE-2015-5622 and CVE-2015-5623)

Trying MGA4 x64

Two things.
1] Confused by the difference between Wordpress & Mageia version-IDs.(Description)

2] Silly perhaps, but I need to get past this...
Having installed Wordpress OK from released repos, 
 wordpress-3.9.6-1.mga4
and created its DB OK according to instructions, http://localhost/wordpress/ first popped up its 'create config' offer, done OK re its MariaDB database; then went through its 5m setup routine. I naively defined the Wordpress user 'wordpress ' and password for same 'wordpress' - complained about (reasonably) as being weak.
The start Blog is present & correct; however, login using these params failed. The link to change password via e-mail all works OK, which I did to something slightly better. Still logins failed. So I repeated the password re-set loop to something better again; *still* unable to login.
Noted that the DB collation was 'swedish' (but not the individual tables), apparently the default. Tried changing that to utf8_bin , but still no login.
So any suggestions please?

CC: (none) => lewyssmith

The upstream announcement doesn't say it explicitly, but it applies to both the 3.9.7 and 4.2.3 releases.  The Mageia 4 package is still using the 3.9.x branch.

(In reply to Lewis Smith from comment #3)

> 2] Silly perhaps, but I need to get past this...
> The start Blog is present & correct; however, login using these params
> failed. The link to change password via e-mail all works OK, which I did to
> something slightly better. Still logins failed. So I repeated the password
> re-set loop to something better again; *still* unable to login.
> Noted that the DB collation was 'swedish' (but not the individual tables),
> apparently the default. Tried changing that to utf8_bin , but still no login.
> So any suggestions please?
No need!
I found that the login problem happened using Opera; but trying with Firefox, it works OK. This does not strike me as healthy, even though Opera (12) is now very dated. There is nothing more basic than username/password login fields; surely this should work with *any* browser. I shall try others.

Testing MGA4 x64

Used wordpress-3.9.6-1.mga4 OK.
Updated it to wordpress-3.9.7-1.mga4
Played with it a bit. Seemed OK, OK-ing this.

BTW The login problem in Comment 3 proved to be *just* Opera (12). Login worked with Firefox, Web & Konqueror.

Whiteboard: has_procedure => has_procedure MGA4-64-OK

Tested mga4-32.

Installed on a fresh mga4 installation, created database and installed wp.  Created a post and a page, edited.  All OK.

Validating.

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA4-64-OK => has_procedure MGA4-64-OK mga4-32-ok
CC: (none) => wrw105, sysadmin-bugs

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0290.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED