Bug 9030

Summary: wordpress new security issues CVE-2013-0235, CVE-2013-0236, and CVE-2013-0237
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: major    
Priority: Normal CC: fundawang, sysadmin-bugs, tmb
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/537250/
Whiteboard: mga2-32-ok mga2-64-ok
Source RPM: wordpress-3.4.2-1.mga2.src.rpm CVE:
Status comment:

Description David Walser 2013-02-10 19:15:31 CET 
Fedora has issued an advisory on February 1:
http://lists.fedoraproject.org/pipermail/package-announce/2013-February/098476.html

The issues are fixed in 3.5.1, which we updated to already in Cauldron.

We should issue an update for Mageia 2.
David Walser 2013-02-10 19:15:41 CET

CC: (none) => fundawang

David Walser 2013-05-01 23:25:26 CEST

Assignee: fundawang => mageia

Comment 1 Damien Lallement 2013-05-06 11:37:47 CEST 
WIP

Status: NEW => ASSIGNED

Comment 2 Damien Lallement 2013-05-06 17:47:53 CEST 
Advisory:
-------------
This update of WordPress updates it to 3.5.1 as bug fixes and security release.

Packages:
-------------
wordpress-3.5.1-1.1.mga2

New Suggests:
-------------
N/A

How to test:
-------------
- Install 'wordpress' from 2, configure it.
- Install 'wordpress' from 'update_testing' and check it's still working as expected.

Assignee: mageia => qa-bugs

Comment 3 David Walser 2013-05-06 20:34:32 CEST 
Thanks Damien!

Advisory:
========================

Updated wordpress package fixes security vulnerabilities:


A server-side request forgery vulnerability and remote port scanning using
pingbacks. This vulnerability, which could potentially be used to expose
information and compromise a site, affects WordPress before 3.5.1
(CVE-2013-0235).

Two instances of cross-site scripting via shortcodes and post content
(CVE-2013-0236).

A cross-site scripting vulnerability in the external library Plupload
(CVE-2013-0237).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0235
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0236
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0237
https://wordpress.org/news/2013/01/wordpress-3-5-1/
http://lists.fedoraproject.org/pipermail/package-announce/2013-February/098476.html
========================

Updated packages in core/updates_testing:
========================
wordpress-3.5.1-1.1.mga2

from wordpress-3.5.1-1.1.mga2.src.rpm
Comment 4 claire robinson 2013-05-07 12:33:11 CEST 
Testing complete mga2 32 & 64

Validating

Advisory & srpm in comment 3

Could sysadmin please push from core/updates_testing to core/updates

Thanks!

Keywords: (none) => validated_update
Whiteboard: (none) => mga2-32-ok mga2-64-ok
CC: (none) => sysadmin-bugs

Comment 5 Thomas Backlund 2013-05-09 12:32:13 CEST 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0137

Status: ASSIGNED => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED