====================================================== Name: CVE-2014-0165 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0165 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20131203 Category: Reference: CONFIRM:http://codex.wordpress.org/Version_3.7.2 Reference: CONFIRM:http://codex.wordpress.org/Version_3.8.2 Reference: CONFIRM:http://core.trac.wordpress.org/changeset/27976 Reference: CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=1085866 WordPress before 3.7.2 and 3.8.x before 3.8.2 allows remote authenticated users to publish posts by leveraging the Contributor role, related to wp-admin/includes/post.php and wp-admin/includes/class-wp-posts-list-table.php. ====================================================== Name: CVE-2014-0166 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0166 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20131203 Category: Reference: CONFIRM:http://codex.wordpress.org/Version_3.7.2 Reference: CONFIRM:http://codex.wordpress.org/Version_3.8.2 Reference: CONFIRM:http://core.trac.wordpress.org/changeset/28054 Reference: CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=1085858 The wp_validate_auth_cookie function in wp-includes/pluggable.php in WordPress before 3.7.2 and 3.8.x before 3.8.2 does not properly determine the validity of authentication cookies, which makes it easier for remote attackers to obtain access via a forged cookie. Reproducible: Steps to Reproduce:
Fixed with wordpress-3.8.2-1.mga3, wordpress-3.8.2-1.mga4 & wordpress-3.8.2-1.mga5
I don't think it's a simple as just updating to 3.8.2. I think the reason our package had been stuck at 3.6.x was that the newer versions upstream have implemented a feature that automatically downloads and updates wordpress in-place, which is not acceptable for packaged software. We'll need to disable this feature, just as we have with other webapps like webmin.
Version: 3 => 4Summary: multiple vulnerabilities in wordpress (CVE-2014-0165, CVE-2014-0166) => wordpress new security issues (CVE-2014-0165, CVE-2014-0166)Whiteboard: (none) => MGA3TOO
Debian has issued an advisory for this on April 12: https://www.debian.org/security/2014/dsa-2901
URL: (none) => http://lwn.net/Vulnerabilities/594738/CC: (none) => luigiwalser
WordPress 3.8.3 is out, fixing a regression in 3.8.2: http://wordpress.org/news/2014/04/wordpress-3-8-3/
For disabling auto-updates, it looks like option 3 or 4 on the first link below would be the right one, in wp-config.php according to the second link: http://make.wordpress.org/core/2013/10/25/the-definitive-guide-to-disabling-auto-updates-in-wordpress-3-7/ http://codex.wordpress.org/Configuring_Automatic_Background_Updates I don't know enough about WordPress or the package to know which is the right option.
Hmm, there is a disable wp_version_check section in the SPEC file (I'm not sure when that was added). I wonder if that's sufficient. Probably not, as Fedora did some extra work to disable it: http://pkgs.fedoraproject.org/cgit/wordpress.git/commit/?id=814a0b32a570d9a9099af7720606f8acaef6542e http://pkgs.fedoraproject.org/cgit/wordpress.git/commit/?id=cd9521671bfaf8c9abf720013bfa7a4bf8e3fd3e We should probably also link to rootcerts like Fedora did: http://pkgs.fedoraproject.org/cgit/wordpress.git/commit/?id=0497598d8986595cfbcbf236474bf9054814c4a4
Oden, can we revert to 3.6.1 and use the patches you used for the MBS update? http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2014:103/
Would anyone be against just updating everything to latest 3.9.1 (with updates disabled as per fedora)? It just seems easier to relax the version policy here - this is also what fedora seem to do.
CC: (none) => mageia
(In reply to Colin Guthrie from comment #8) > Would anyone be against just updating everything to latest 3.9.1 (with > updates disabled as per fedora)? It just seems easier to relax the version > policy here - this is also what fedora seem to do. We've always just updated this to the newest version in the past, so that's fine. The issue with this update is the introduction of the auto-updating feature in 3.7. As long as that's sufficiently disabled, updating this to the newest version would be great.
OK, so they are now available. wordpress-3.9.1-1.mga3 wordpress-3.9.1-1.mga4 (both srpm and noarch.rpm) Patch is basically direct from Fedora (combined two of their patches into one and remove a hunk that didn't apply for us) + a small patch by me to kill code that would ultimately crash due to incomplete copy of PHPMailer. Tested it on mga4 briefly (did an install). Note that our packaging is kinda weird as it is all owned by apache user... this means it *is* updatable, even if this is now disabled. I didn't want to mess too much as I'm not the maintainer.
Thanks Colin! CC'ing Damien, the maintainer. Damien, please consider the notes in Comment 6 about removing the bundled cacerts and requiring rootcerts instead and in Comment 10 about the file ownership in the package.
Assigning to QA. Advisory: ======================== Updated wordpress package fixes security vulnerabilities: WordPress before 3.7.2 allows remote authenticated users to publish posts by leveraging the Contributor role, related to wp-admin/includes/post.php and wp-admin/includes/class-wp-posts-list-table.php (CVE-2014-0165). The wp_validate_auth_cookie function in wp-includes/pluggable.php in WordPress before 3.7.2 does not properly determine the validity of authentication cookies, which makes it easier for remote attackers to obtain access via a forged cookie (CVE-2014-0166). The wordpress package has been updated to version 3.9.1, fixing these and other issues. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0165 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0166 http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2014:103/ ======================== Updated packages in core/updates_testing: ======================== wordpress-3.9.1-1.mga3 wordpress-3.9.1-1.mga4 from SRPMS: wordpress-3.9.1-1.mga3.src.rpm wordpress-3.9.1-1.mga4.src.rpm
Assignee: bugsquad => qa-bugsSeverity: normal => critical
Testing complete mga4 64 Tested at the same time as the php update in bug 13476. Before - it shows 3 updates available After - it upgrades the database and shows as fully up to date. Easy to configure, just follow the README.urpmi which is displayed when you install the package to create a database, then visit it at http://localhost/wordpress
Whiteboard: MGA3TOO => MGA3TOO has_procedure mga4-64-ok
Testing complete mga4 32
Whiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure mga4-32-ok mga4-64-ok
Testing complete mga3 32 & 64 Validating. Advisory uploaded. Could sysadmin please push to 3 & 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure mga4-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-okCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0254.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED