Upstream has issued an advisory on August 6: https://wordpress.org/news/2014/08/wordpress-3-9-2/ CVE request: http://openwall.com/lists/oss-security/2014/08/07/2 No response yet. Mageia 3 and Mageia 4 are also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO, MGA3TOO
Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron. As with Drupal, waiting on the CVE assignment for the advisory. Updated packages in core/updates_testing: ======================== wordpress-3.9.2-1.mga3 wordpress-3.9.2-1.mga4 from SRPMS: wordpress-3.9.2-1.mga3.src.rpm wordpress-3.9.2-1.mga4.src.rpm
Version: Cauldron => 4Assignee: bugsquad => qa-bugsWhiteboard: MGA4TOO, MGA3TOO => MGA3TOO
Tested mga4-64. Database updates, no updates shown from dashboard. Posted a page, a comment from front page which display normally.
CC: (none) => wrw105Whiteboard: MGA3TOO => MGA3TOO mga4-64-ok
Tested mga4-32 Clean install, no updates shown from dashboard. Posted a page, a comment and a blog post which display as they should.
Whiteboard: MGA3TOO mga4-64-ok => MGA3TOO mga4-64-ok mga4-32-ok
tested mga3-32 Clean install, no updates shown from dashboard. Posted a page, a post and a comment, which display as they should. URPMI is giving me problems on my mga3-64 setup, so if someone else can test that before I get the time to figure out what's wrong would be appreciated!
Whiteboard: MGA3TOO mga4-64-ok mga4-32-ok => MGA3TOO mga4-64-ok mga4-32-ok mga3-32-ok
As we decided during the last QA meeting, three successful tests on two releases is enough, we can validate this one as is. I'll upload the advisory in the evening.
Keywords: (none) => validated_updateCC: (none) => remi, sysadmin-bugs
Still no response to the CVE request, so this is all I have for right now. Advisory: ======================== Updated wordpress packages fix security vulnerabilities: Multiple vulnerabilities in WordPress before 3.9.2, including denial of service and information disclosure issues related to XML entity expansion. The wordpress package has been updated to version 3.9.2 to fix these issues. See the release announcement for more details. References: https://wordpress.org/news/2014/08/wordpress-3-9-2/
Debian has issued an advisory for this on August 9: https://www.debian.org/security/2014/dsa-3001
URL: (none) => http://lwn.net/Vulnerabilities/608414/
Advisory uploaded.
Whiteboard: MGA3TOO mga4-64-ok mga4-32-ok mga3-32-ok => MGA3TOO mga4-64-ok mga4-32-ok mga3-32-ok advisory
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0328.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
MITRE finally woke up and assigned some CVEs: http://openwall.com/lists/oss-security/2014/08/13/3 CVE-2014-5203, CVE-2014-5204, CVE-2014-5205. However, these CVEs just cover the other minor issues fixed in this update, not the issues related to XML entity expansion.
CVE-2014-5240 was also assigned: http://openwall.com/lists/oss-security/2014/08/14/2 Still doesn't address the XML entity expansion issues though.
MITRE finally assigned some CVEs (CVE-2014-526[56]): http://openwall.com/lists/oss-security/2014/08/16/4 LWN reference: http://lwn.net/Vulnerabilities/609181/ Note that CVE-2014-5267 only applies to Drupal.
LWN reference for the other CVEs I had mentioned previously: http://lwn.net/Vulnerabilities/609184/