Bug 10596 - wordpress new security issues fixed upstream in 3.5.2
: wordpress new security issues fixed upstream in 3.5.2
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
:
: MGA2TOO MGA3-64-OK MGA3-32-OK MGA2-64...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-06-23 05:06 CEST by David Walser
Modified: 2014-05-08 18:04 CEST (History)
6 users (show)

See Also:
Source RPM: wordpress-3.5.1-2.mga3.src.rpm
CVE:


Attachments

Description David Walser 2013-06-23 05:06:24 CEST
Upstream has released a new version fixing several security issues on June 21:
http://wordpress.org/news/2013/06/wordpress-3-5-2/

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-06-23 16:13:12 CEST
Update packages uploaded for Mageia 2, Mageia 3, and Cauldron by Funda.

Advisory to come.
Comment 2 David Walser 2013-06-23 16:14:53 CEST
Packages built:
wordpress-3.5.2-1.mga2
wordpress-3.5.2-1.mga3

from SRPMS:
wordpress-3.5.2-1.mga2.src.rpm
wordpress-3.5.2-1.mga3.src.rpm
Comment 3 William Kenney 2013-06-27 06:03:01 CEST
How bout a quick and easy tutorial on how to launch and use
wordpress locally. I've installed apache and launched that
with a local website and installed M2-x86_64 wordpress 3.5.1-5.
What's next just to make sure it's running? I don't wanna be a
wordpress expert.

Thanks
Comment 4 Damien Lallement 2013-06-27 12:39:16 CEST
(In reply to William Kenney from comment #3)
> How bout a quick and easy tutorial on how to launch and use
> wordpress locally. I've installed apache and launched that
> with a local website and installed M2-x86_64 wordpress 3.5.1-5.
> What's next just to make sure it's running? I don't wanna be a
> wordpress expert.
> 
> Thanks

You just need to follow the README provided by README.install.urpmi after installation.
Comment 5 Oden Eriksson 2013-06-27 17:14:48 CEST
For reference:

http://codex.wordpress.org/Version_3.5.1

Server-side request forgery (SSRF) and remote port scanning via pingbacks. Fixed by the WordPress security team. CVE-2013-0235.

Cross-site scripting (XSS) via shortcodes and post content. Discovered by Jon Cave of the WordPress security team. CVE-2013-0236.

Cross-site scripting (XSS) in the external library Plupload. Plupload 1.5.5 was released to address this issue. CVE-2013-0237.

http://codex.wordpress.org/Version_3.5.2

* Server-Side Request Forgery (SSRF) via the HTTP API. CVE-2013-2199.
* Privilege Escalation: Contributors can publish posts, and users can reassign authorship. CVE-2013-2200.
* Cross-Site Scripting (XSS) in SWFUpload. CVE-2013-2205.
* Denial of Service (DoS) via Post Password Cookies. CVE-2013-2173.
* Content Spoofing via Flash Applet in TinyMCE Media Plugin. CVE-2013-2204.
* Cross-Site Scripting (XSS) when Uploading Media. CVE-2013-2201.
* Full Path Disclosure (FPD) during File Upload. CVE-2013-2203.

* Cross-Site Scripting (XSS) (Low Severity) when Editing Media. CVE-2013-2201.
* Cross-Site Scripting (XSS) (Low Severity) when Installing/Updating Plugins/Themes. CVE-2013-2201.
* XML External Entity Injection (XXE) via oEmbed. CVE-2013-2202.
Comment 6 Oden Eriksson 2013-06-27 17:17:06 CEST
https://bugzilla.redhat.com/show_bug.cgi?id=976784

" Jan Lieskovsky 2013-06-21 08:54:50 EDT

On Friday, 2013-06-21 WordPress upstream is about to release new WordPress v3.5.2 version,
correcting the following security flaws:

* CVE-2013-2199 - SSRF, multiple vulnerabilities:

  Inadequate SSRF protection for HTTP requests where the user can provide a URL
  can allow for attacks against the intranet and other sites. This is a
  continuation of work related to CVE-2013-0235, which was specific to SSRF in
  pingback requests and was fixed in 3.5.1.

* CVE-2013-2200 - Privilege escalation allowing contributors to publish posts:

  Inadequate checking of a user's capabilities could allow them to publish posts
  when their user role should not allow for it; and to assign posts to other
  authors.

* CVE-2013-2201 - XSS, multiple vulnerabilities:

  Inadequate escaping allowed an administrator to trigger a cross-site scripting
  vulnerability through the uploading of media files and plugins.

* CVE-2013-2202 - XXE via oEmbed:

  The processing of an oEmbed response is vulnerable to an XXE.

* CVE-2013-2203 - Full Path Disclosure during File Upload:

  If the uploads directory is not writable, error message data returned via XHR
  will include a full path to the directory.

And two security flaws in external products:

* CVE-2013-2204 - Content Spoofing in the MoxieCode (TinyMCE) MoxiePlayer project:
  Upstream patch: https://github.com/moxiecode/moxieplayer/commit/b61ac518ffa2657e2dc9019b2

* CVE-2013-2205 - Cross-domain XSS in SWFUpload (again):
  Fix: Removing security.allowDomain("*") and only allow access from the same domain."
Comment 7 David Walser 2013-06-27 17:39:33 CEST
Thanks Oden!

Advisory:
========================

Updated wordpress package fixes security vulnerabilities:

A denial of service flaw was found in the way Wordpress, a blog tool and
publishing platform, performed hash computation when checking password for
password protected blog posts. A remote attacker could provide a specially-
crafted input that, when processed by the password checking mechanism of
Wordpress would lead to excessive CPU consumption (CVE-2013-2173).

Inadequate SSRF protection for HTTP requests where the user can provide a
URL can allow for attacks against the intranet and other sites. This is a
continuation of work related to CVE-2013-0235, which was specific to SSRF
in pingback requests and was fixed in 3.5.1 (CVE-2013-2199).

Inadequate checking of a user's capabilities could allow them to publish
posts when their user role should not allow for it; and to assign posts to
other authors (CVE-2013-2200).

Inadequate escaping allowed an administrator to trigger a cross-site
scripting vulnerability through the uploading of media files and plugins
(CVE-2013-2201).

The processing of an oEmbed response is vulnerable to an XXE
(CVE-2013-2202).

If the uploads directory is not writable, error message data returned via
XHR will include a full path to the directory (CVE-2013-2203).

Content Spoofing in the MoxieCode (TinyMCE) MoxiePlayer project
(CVE-2013-2204).

Cross-domain XSS in SWFUpload (CVE-2013-2205).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2173
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2199
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2200
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2201
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2202
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2203
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2204
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2205
http://codex.wordpress.org/Version_3.5.2
http://wordpress.org/news/2013/06/wordpress-3-5-2/
https://bugzilla.redhat.com/show_bug.cgi?id=973254
https://bugzilla.redhat.com/show_bug.cgi?id=976784
========================

Updated packages in core/updates_testing:
========================
wordpress-3.5.2-1.mga2
wordpress-3.5.2-1.mga3

from SRPMS:
wordpress-3.5.2-1.mga2.src.rpm
wordpress-3.5.2-1.mga3.src.rpm
Comment 8 Dave Hodgins 2013-07-01 03:36:09 CEST
Testing complete on Mageia 1 and 2, i586 and x86_64.

http://svnweb.mageia.org/advisories/10596.adv?view=markup&sortby=date
uploaded.

Could someone from the sysadmin team push 10596.adv
Comment 9 Nicolas Vigier 2013-07-01 21:25:34 CEST
http://advisories.mageia.org/MGASA-2013-0198.html

Note You need to log in before you can comment on or make changes to this bug.