Upstream has released 3.6.1 today (September 11): http://wordpress.org/news/2013/09/wordpress-3-6-1/ CVEs have been requested for the security issues it fixes: http://openwall.com/lists/oss-security/2013/09/11/10 Mageia 2 and Mageia 3 are also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO, MGA2TOO
====================================================== Name: CVE-2013-4338 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4338 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130612 Category: Reference: CONFIRM:http://codex.wordpress.org/Version_3.6.1 Reference: CONFIRM:http://core.trac.wordpress.org/changeset/25325 Reference: CONFIRM:http://wordpress.org/news/2013/09/wordpress-3-6-1/ wp-includes/functions.php in WordPress before 3.6.1 does not properly determine whether data has been serialized, which allows remote attackers to execute arbitrary code by triggering erroneous PHP unserialize operations. ====================================================== Name: CVE-2013-4339 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4339 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130612 Category: Reference: CONFIRM:http://codex.wordpress.org/Version_3.6.1 Reference: CONFIRM:http://core.trac.wordpress.org/changeset/25323 Reference: CONFIRM:http://core.trac.wordpress.org/changeset/25324 Reference: CONFIRM:http://wordpress.org/news/2013/09/wordpress-3-6-1/ WordPress before 3.6.1 does not properly validate URLs before use in an HTTP redirect, which allows remote attackers to bypass intended redirection restrictions via a crafted string. ====================================================== Name: CVE-2013-4340 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4340 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130612 Category: Reference: CONFIRM:http://codex.wordpress.org/Version_3.6.1 Reference: CONFIRM:http://core.trac.wordpress.org/changeset/25321 Reference: CONFIRM:http://wordpress.org/news/2013/09/wordpress-3-6-1/ wp-admin/includes/post.php in WordPress before 3.6.1 allows remote authenticated users to spoof the authorship of a post by leveraging the Author role and providing a modified user_ID parameter. ====================================================== Name: CVE-2013-5738 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5738 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130911 Category: Reference: CONFIRM:http://codex.wordpress.org/Version_3.6.1 Reference: CONFIRM:http://core.trac.wordpress.org/changeset/25322 Reference: CONFIRM:http://wordpress.org/news/2013/09/wordpress-3-6-1/ The get_allowed_mime_types function in wp-includes/functions.php in WordPress before 3.6.1 does not require the unfiltered_html capability for uploads of .htm and .html files, which might make it easier for remote authenticated users to conduct cross-site scripting (XSS) attacks via a crafted file. ====================================================== Name: CVE-2013-5739 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5739 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130911 Category: Reference: CONFIRM:http://codex.wordpress.org/Version_3.6.1 Reference: CONFIRM:http://core.trac.wordpress.org/changeset/25322 Reference: CONFIRM:http://wordpress.org/news/2013/09/wordpress-3-6-1/ The default configuration of WordPress before 3.6.1 does not prevent uploads of .swf and .exe files, which might make it easier for remote authenticated users to conduct cross-site scripting (XSS) attacks via a crafted file, related to the get_allowed_mime_types function in wp-includes/functions.php.
CC: (none) => oe
Strange, the last two weren't mentioned here: http://openwall.com/lists/oss-security/2013/09/12/1
Fixed in Cauldron in wordpress-3.6.1-1.mga4.
Version: Cauldron => 3Whiteboard: MGA3TOO, MGA2TOO => MGA2TOO
Debian has issued an advisory for this on September 14: http://www.debian.org/security/2013/dsa-2757
URL: (none) => http://lwn.net/Vulnerabilities/566978/
3.6.1 has been submitted to 2 and 3
Advisory: ======================== Updated wordpress package fixes security vulnerabilities: wp-includes/functions.php in WordPress before 3.6.1 does not properly determine whether data has been serialized, which allows remote attackers to execute arbitrary code by triggering erroneous PHP unserialize operations (CVE-2013-4338). WordPress before 3.6.1 does not properly validate URLs before use in an HTTP redirect, which allows remote attackers to bypass intended redirection restrictions via a crafted string (CVE-2013-4339). wp-admin/includes/post.php in WordPress before 3.6.1 allows remote authenticated users to spoof the authorship of a post by leveraging the Author role and providing a modified user_ID parameter (CVE-2013-4340). The get_allowed_mime_types function in wp-includes/functions.php in WordPress before 3.6.1 does not require the unfiltered_html capability for uploads of .htm and .html files, which might make it easier for remote authenticated users to conduct cross-site scripting (XSS) attacks via a crafted file (CVE-2013-5738). The default configuration of WordPress before 3.6.1 does not prevent uploads of .swf and .exe files, which might make it easier for remote authenticated users to conduct cross-site scripting (XSS) attacks via a crafted file, related to the get_allowed_mime_types function in wp-includes/functions.php (CVE-2013-5739). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4338 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4339 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4340 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5738 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5739 http://wordpress.org/news/2013/09/wordpress-3-6-1/ http://www.debian.org/security/2013/dsa-2757 ======================== Updated packages in core/updates_testing: ======================== wordpress-3.6.1-1.mga2 wordpress-3.6.1-1.mga3 from SRPMS: wordpress-3.6.1-1.mga2.src.rpm wordpress-3.6.1-1.mga3.src.rpm
CC: (none) => mageiaAssignee: mageia => qa-bugs
Advisory 11218.adv committed to svn. Testing shortly.
CC: (none) => davidwhodgins
Install fails both releases, both arches. From urpmi --debug wordpress found package(s): wordpress-3.4.1-1.1.mga2.noarch wordpress-3.5.1-1.1.mga2.noarch wordpress-3.3.2-2.mga2.noarch wordpress-3.4.2-1.mga2.noarch wordpress-3.6.1-1.mga2.noarch wordpress-3.5.2-1.mga2.noarch opening rpmdb (root=, write=) chosen wordpress-3.6.1-1.mga2.noarch for wordpress|wordpress|wordpress|wordpress|wordpress|wordpress selecting wordpress-3.6.1-1.mga2.noarch requiring pear(ntlm_sasl_client.php),php-mysql for wordpress-3.6.1-1.mga2.noarch no packages match pear(ntlm_sasl_client.php) (it is either in skip.list or already rejected) unselecting wordpress-3.6.1-1.mga2.noarch adding a reason to already rejected package wordpress-3.6.1-1.mga2.noarch: unsatisfied pear(ntlm_sasl_client.php) A requested package cannot be installed: wordpress-3.6.1-1.mga2.noarch (due to unsatisfied pear(ntlm_sasl_client.php))
Whiteboard: MGA2TOO => MGA2TOO feedback
fixed with php-phpmailer-5.2.7-0.20130917.1.mga2 + php-phpmailer-5.2.7-0.20130917.1.mga3 (just submitted)
Wordpress tested OK mga2 32 & 64 with new php-phpmailer but unsure yet how to test php-phpmailer
Whiteboard: MGA2TOO feedback => MGA2TOO
Thanks Oden! The only other thing that requires php-phpmailer is galette, but if you can test wordpress features that cause it to send an e-mail, that'd probably be sufficient to test that. Adding an addendum to the advisory. Advisory: ======================== Updated wordpress package fixes security vulnerabilities: wp-includes/functions.php in WordPress before 3.6.1 does not properly determine whether data has been serialized, which allows remote attackers to execute arbitrary code by triggering erroneous PHP unserialize operations (CVE-2013-4338). WordPress before 3.6.1 does not properly validate URLs before use in an HTTP redirect, which allows remote attackers to bypass intended redirection restrictions via a crafted string (CVE-2013-4339). wp-admin/includes/post.php in WordPress before 3.6.1 allows remote authenticated users to spoof the authorship of a post by leveraging the Author role and providing a modified user_ID parameter (CVE-2013-4340). The get_allowed_mime_types function in wp-includes/functions.php in WordPress before 3.6.1 does not require the unfiltered_html capability for uploads of .htm and .html files, which might make it easier for remote authenticated users to conduct cross-site scripting (XSS) attacks via a crafted file (CVE-2013-5738). The default configuration of WordPress before 3.6.1 does not prevent uploads of .swf and .exe files, which might make it easier for remote authenticated users to conduct cross-site scripting (XSS) attacks via a crafted file, related to the get_allowed_mime_types function in wp-includes/functions.php (CVE-2013-5739). Additionally, php-phpmailer has been updated to a newer version required by the updated wordpress. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4338 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4339 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4340 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5738 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5739 http://wordpress.org/news/2013/09/wordpress-3-6-1/ http://www.debian.org/security/2013/dsa-2757 ======================== Updated packages in core/updates_testing: ======================== wordpress-3.6.1-1.mga2 php-phpmailer-5.2.7-0.20130917.1.mga2 wordpress-3.6.1-1.mga3 php-phpmailer-5.2.7-0.20130917.1.mga3 from SRPMS: wordpress-3.6.1-1.mga2.src.rpm php-phpmailer-5.2.7-0.20130917.1.mga2.src.rpm wordpress-3.6.1-1.mga3.src.rpm php-phpmailer-5.2.7-0.20130917.1.mga3.src.rpm
Updated 11218.adv committed to svn. Testing shortly.
Testing complete on Mageia 2 i586. Created a blog page as the admin user, created a new user, as the new user added a comment. Confirmed that the moderation email was sent to the admin user. Testing Mageia 2 x86_64 shortly.
Whiteboard: MGA2TOO => MGA2TOO MGA2-32-OK
Testing complete on Mageia 2 x86_64. While testing, realized wordpress should have a requires on sendmail-command. Otherwise sending the email fails with /var/log/httpd/error_log showing sh: /usr/sbin/sendmail: No such file or directory I'll open a bug report about the missing requires, after I finish testing Mageia 3, which I'll do shortly.
Whiteboard: MGA2TOO MGA2-32-OK => MGA2TOO MGA2-32-OK MGA2-64-OK
Testing complete on Mageia 3 i586 and x86_64. Someone from the sysadmin team please push 11218.adv to updates
Keywords: (none) => validated_updateWhiteboard: MGA2TOO MGA2-32-OK MGA2-64-OK => MGA2TOO MGA2-32-OK MGA2-64-OK MGA3-32-OK MGA3-64-OKCC: (none) => sysadmin-bugs
(In reply to Dave Hodgins from comment #14) > Testing complete on Mageia 2 x86_64. > > While testing, realized wordpress should have a requires on sendmail-command. > Otherwise sending the email fails with /var/log/httpd/error_log showing > sh: /usr/sbin/sendmail: No such file or directory > > I'll open a bug report about the missing requires, after I finish testing > Mageia 3, which I'll do shortly. Hmm, I wonder if it wouldn't be best to add a "Suggests: sendmail-command" for the lib(64)php5_common5 package?
Update pushed: http://advisories.mageia.org/MGASA-2013-0285.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED