Bug 13877 - wordpress new XML-RPC DoS issue fixed upstream in 3.9.2
Summary: wordpress new XML-RPC DoS issue fixed upstream in 3.9.2
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/608414/
Whiteboard: MGA3TOO mga4-64-ok mga4-32-ok mga3-32...
Keywords: validated_update
Depends on:
Reported: 2014-08-07 20:32 CEST by David Walser
Modified: 2014-08-21 19:58 CEST (History)
3 users (show)

See Also:
Source RPM: wordpress-3.9.1-1.mga5.src.rpm
Status comment:


Description David Walser 2014-08-07 20:32:28 CEST
Upstream has issued an advisory on August 6:

CVE request:

No response yet.

Mageia 3 and Mageia 4 are also affected.


Steps to Reproduce:
David Walser 2014-08-07 20:32:34 CEST

Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 1 David Walser 2014-08-08 21:23:58 CEST
Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron.

As with Drupal, waiting on the CVE assignment for the advisory.

Updated packages in core/updates_testing:

from SRPMS:

Version: Cauldron => 4
Assignee: bugsquad => qa-bugs
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO

Comment 2 Bill Wilkinson 2014-08-09 14:06:45 CEST
Tested mga4-64.

Database updates, no updates shown from dashboard.

Posted a page, a comment from front page which display normally.

CC: (none) => wrw105
Whiteboard: MGA3TOO => MGA3TOO mga4-64-ok

Comment 3 Bill Wilkinson 2014-08-10 16:08:47 CEST
Tested mga4-32

Clean install, no updates shown from dashboard.

Posted a page, a comment and a blog post which display as they should.

Whiteboard: MGA3TOO mga4-64-ok => MGA3TOO mga4-64-ok mga4-32-ok

Comment 4 Bill Wilkinson 2014-08-10 17:44:07 CEST
tested mga3-32

Clean install, no updates shown from dashboard.

Posted a page, a post and a comment, which display as they should.

URPMI is giving me problems on my mga3-64 setup, so if someone else can test that before I get the time to figure out what's wrong would be appreciated!
Bill Wilkinson 2014-08-10 17:47:59 CEST

Whiteboard: MGA3TOO mga4-64-ok mga4-32-ok => MGA3TOO mga4-64-ok mga4-32-ok mga3-32-ok

Comment 5 Rémi Verschelde 2014-08-11 15:12:16 CEST
As we decided during the last QA meeting, three successful tests on two releases is enough, we can validate this one as is. I'll upload the advisory in the evening.

Keywords: (none) => validated_update
CC: (none) => remi, sysadmin-bugs

Comment 6 David Walser 2014-08-11 15:27:36 CEST
Still no response to the CVE request, so this is all I have for right now.


Updated wordpress packages fix security vulnerabilities:

Multiple vulnerabilities in WordPress before 3.9.2, including denial of
service and information disclosure issues related to XML entity expansion.

The wordpress package has been updated to version 3.9.2 to fix these issues.
See the release announcement for more details.

Comment 7 David Walser 2014-08-11 17:09:05 CEST
Debian has issued an advisory for this on August 9:
David Walser 2014-08-11 17:13:31 CEST

URL: (none) => http://lwn.net/Vulnerabilities/608414/

Comment 8 Rémi Verschelde 2014-08-11 17:51:24 CEST
Advisory uploaded.

Whiteboard: MGA3TOO mga4-64-ok mga4-32-ok mga3-32-ok => MGA3TOO mga4-64-ok mga4-32-ok mga3-32-ok advisory

Comment 9 Mageia Robot 2014-08-12 11:17:36 CEST
An update for this issue has been pushed to Mageia Updates repository.


Resolution: (none) => FIXED

Comment 10 David Walser 2014-08-13 13:44:49 CEST
MITRE finally woke up and assigned some CVEs:

CVE-2014-5203, CVE-2014-5204, CVE-2014-5205.

However, these CVEs just cover the other minor issues fixed in this update, not the issues related to XML entity expansion.
Comment 11 David Walser 2014-08-14 13:38:07 CEST
CVE-2014-5240 was also assigned:

Still doesn't address the XML entity expansion issues though.
Comment 12 David Walser 2014-08-21 19:56:59 CEST
MITRE finally assigned some CVEs (CVE-2014-526[56]):

LWN reference:

Note that CVE-2014-5267 only applies to Drupal.
Comment 13 David Walser 2014-08-21 19:58:46 CEST
LWN reference for the other CVEs I had mentioned previously:

Note You need to log in before you can comment on or make changes to this bug.