Upstream has released a new version fixing several security issues on June 21: http://wordpress.org/news/2013/06/wordpress-3-5-2/ Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO, MGA2TOO
Update packages uploaded for Mageia 2, Mageia 3, and Cauldron by Funda. Advisory to come.
CC: (none) => fundawang, mageiaVersion: Cauldron => 3Assignee: mageia => qa-bugsWhiteboard: MGA3TOO, MGA2TOO => MGA2TOO
Packages built: wordpress-3.5.2-1.mga2 wordpress-3.5.2-1.mga3 from SRPMS: wordpress-3.5.2-1.mga2.src.rpm wordpress-3.5.2-1.mga3.src.rpm
How bout a quick and easy tutorial on how to launch and use wordpress locally. I've installed apache and launched that with a local website and installed M2-x86_64 wordpress 3.5.1-5. What's next just to make sure it's running? I don't wanna be a wordpress expert. Thanks
CC: (none) => wilcal.int
(In reply to William Kenney from comment #3) > How bout a quick and easy tutorial on how to launch and use > wordpress locally. I've installed apache and launched that > with a local website and installed M2-x86_64 wordpress 3.5.1-5. > What's next just to make sure it's running? I don't wanna be a > wordpress expert. > > Thanks You just need to follow the README provided by README.install.urpmi after installation.
For reference: http://codex.wordpress.org/Version_3.5.1 Server-side request forgery (SSRF) and remote port scanning via pingbacks. Fixed by the WordPress security team. CVE-2013-0235. Cross-site scripting (XSS) via shortcodes and post content. Discovered by Jon Cave of the WordPress security team. CVE-2013-0236. Cross-site scripting (XSS) in the external library Plupload. Plupload 1.5.5 was released to address this issue. CVE-2013-0237. http://codex.wordpress.org/Version_3.5.2 * Server-Side Request Forgery (SSRF) via the HTTP API. CVE-2013-2199. * Privilege Escalation: Contributors can publish posts, and users can reassign authorship. CVE-2013-2200. * Cross-Site Scripting (XSS) in SWFUpload. CVE-2013-2205. * Denial of Service (DoS) via Post Password Cookies. CVE-2013-2173. * Content Spoofing via Flash Applet in TinyMCE Media Plugin. CVE-2013-2204. * Cross-Site Scripting (XSS) when Uploading Media. CVE-2013-2201. * Full Path Disclosure (FPD) during File Upload. CVE-2013-2203. * Cross-Site Scripting (XSS) (Low Severity) when Editing Media. CVE-2013-2201. * Cross-Site Scripting (XSS) (Low Severity) when Installing/Updating Plugins/Themes. CVE-2013-2201. * XML External Entity Injection (XXE) via oEmbed. CVE-2013-2202.
CC: (none) => oe
https://bugzilla.redhat.com/show_bug.cgi?id=976784 " Jan Lieskovsky 2013-06-21 08:54:50 EDT On Friday, 2013-06-21 WordPress upstream is about to release new WordPress v3.5.2 version, correcting the following security flaws: * CVE-2013-2199 - SSRF, multiple vulnerabilities: Inadequate SSRF protection for HTTP requests where the user can provide a URL can allow for attacks against the intranet and other sites. This is a continuation of work related to CVE-2013-0235, which was specific to SSRF in pingback requests and was fixed in 3.5.1. * CVE-2013-2200 - Privilege escalation allowing contributors to publish posts: Inadequate checking of a user's capabilities could allow them to publish posts when their user role should not allow for it; and to assign posts to other authors. * CVE-2013-2201 - XSS, multiple vulnerabilities: Inadequate escaping allowed an administrator to trigger a cross-site scripting vulnerability through the uploading of media files and plugins. * CVE-2013-2202 - XXE via oEmbed: The processing of an oEmbed response is vulnerable to an XXE. * CVE-2013-2203 - Full Path Disclosure during File Upload: If the uploads directory is not writable, error message data returned via XHR will include a full path to the directory. And two security flaws in external products: * CVE-2013-2204 - Content Spoofing in the MoxieCode (TinyMCE) MoxiePlayer project: Upstream patch: https://github.com/moxiecode/moxieplayer/commit/b61ac518ffa2657e2dc9019b2 * CVE-2013-2205 - Cross-domain XSS in SWFUpload (again): Fix: Removing security.allowDomain("*") and only allow access from the same domain."
Thanks Oden! Advisory: ======================== Updated wordpress package fixes security vulnerabilities: A denial of service flaw was found in the way Wordpress, a blog tool and publishing platform, performed hash computation when checking password for password protected blog posts. A remote attacker could provide a specially- crafted input that, when processed by the password checking mechanism of Wordpress would lead to excessive CPU consumption (CVE-2013-2173). Inadequate SSRF protection for HTTP requests where the user can provide a URL can allow for attacks against the intranet and other sites. This is a continuation of work related to CVE-2013-0235, which was specific to SSRF in pingback requests and was fixed in 3.5.1 (CVE-2013-2199). Inadequate checking of a user's capabilities could allow them to publish posts when their user role should not allow for it; and to assign posts to other authors (CVE-2013-2200). Inadequate escaping allowed an administrator to trigger a cross-site scripting vulnerability through the uploading of media files and plugins (CVE-2013-2201). The processing of an oEmbed response is vulnerable to an XXE (CVE-2013-2202). If the uploads directory is not writable, error message data returned via XHR will include a full path to the directory (CVE-2013-2203). Content Spoofing in the MoxieCode (TinyMCE) MoxiePlayer project (CVE-2013-2204). Cross-domain XSS in SWFUpload (CVE-2013-2205). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2173 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2199 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2200 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2201 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2202 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2203 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2204 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2205 http://codex.wordpress.org/Version_3.5.2 http://wordpress.org/news/2013/06/wordpress-3-5-2/ https://bugzilla.redhat.com/show_bug.cgi?id=973254 https://bugzilla.redhat.com/show_bug.cgi?id=976784 ======================== Updated packages in core/updates_testing: ======================== wordpress-3.5.2-1.mga2 wordpress-3.5.2-1.mga3 from SRPMS: wordpress-3.5.2-1.mga2.src.rpm wordpress-3.5.2-1.mga3.src.rpm
Testing complete on Mageia 1 and 2, i586 and x86_64. http://svnweb.mageia.org/advisories/10596.adv?view=markup&sortby=date uploaded. Could someone from the sysadmin team push 10596.adv
Keywords: (none) => validated_updateWhiteboard: MGA2TOO => MGA2TOO MGA3-64-OK MGA3-32-OK MGA2-64-OK MGA2-32-OKCC: (none) => davidwhodgins, sysadmin-bugs
http://advisories.mageia.org/MGASA-2013-0198.html
Status: NEW => RESOLVEDCC: (none) => boklmResolution: (none) => FIXED
CC: boklm => (none)