Upstream has announced version 4.0.1 today (November 20): https://wordpress.org/news/2014/11/wordpress-4-0-1/ CVEs have been requested here: http://openwall.com/lists/oss-security/2014/11/20/43 Mageia 3 and Mageia 4 are also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO, MGA3TOO
Now I see that there is a 3.9.3 release available. If I'm reading the upstream announcement correctly, it just fixes the one critical XSS issue (which didn't affect 4.0), and the other security issues fixed in 4.0.1 only affected 4.0. Freeze push requested for Cauldron. Updated packages uploaded for Mageia 3 and Mageia 4. Advisory to come later. Updated packages in core/updates_testing: ======================== wordpress-3.9.3-1.mga3 wordpress-3.9.3-1.mga4 from SRPMS: wordpress-3.9.3-1.mga3.src.rpm wordpress-3.9.3-1.mga4.src.rpm
Version: Cauldron => 4Assignee: bugsquad => qa-bugsWhiteboard: MGA4TOO, MGA3TOO => MGA3TOO
Testing on Mageia3-64 real HW Current packages : ---------------- wordpress-3.9.2-1.mga3 Had already an installation and a wordpress blog from previous testing. Connected to it, made some changes. OK Installed update testing package : -------------------------------- # rpm -q wordpress wordpress-3.9.3-1.mga3 Could connect to previous blog, make some changes. Dropped previous wordpress database, created a new one, went through new installation, created new blog, wrote articles, added menus, images, widgets, changed background, logged out and back in... All Ok
CC: (none) => olchalWhiteboard: MGA3TOO => MGA3TOO MGA3-64-OK
Procedure I used to test wordpress (based on readme.urpmi in rpm showed at installation) : # urpmi wordpress # systemctl start mysqld.service $ mysql -u root -p MariaDB [(none)]> create database wordpress; MariaDB [(none)]> create user 'wordpressuser'@'localhost' identified by 'password'; MariaDB [(none)]> grant all on wordpress.* to 'wordpress'@'localhost'; MariaDB [(none)]> exit; In browser : http://localhost/wordpress Completed installation, Created a blog, created 2 articles, modified 1 article, added attachment, added widgets, changed preferences, logged out and in.
Sorry, error in Comment 3 on MariaDB third line. Here is modified procedure : Procedure I used to test wordpress (based on readme.urpmi in rpm showed at installation) : # urpmi wordpress # systemctl start mysqld.service $ mysql -u root -p MariaDB [(none)]> create database wordpress; MariaDB [(none)]> create user 'wordpressuser'@'localhost' identified by 'password'; MariaDB [(none)]> grant all on wordpress.* to 'wordpressuser'@'localhost'; MariaDB [(none)]> exit; If needed, wordpress base configuration can be found here : /var/www/wordpress/wp-config.php (I had to change manually database user from a previous installation) In browser : http://localhost/wordpress Completed installation, Created a blog, created 2 articles, modified 1 article, added attachment, added widgets, changed preferences, logged out and in.
Testing on Mageia4-64 real HW Followed same procedure (comment 4) with : Current package : --------------- # rpm -q wordpress wordpress-3.9.2-1.mga4 then : Updated testing package : ----------------------- # rpm -q wordpress wordpress-3.9.3-1.mga4 All OK
Whiteboard: MGA3TOO MGA3-64-OK => MGA3TOO MGA3-64-OK MGA4-64-OK
In VirtualBox, M3, KDE, 32-bit Package(s) under test: wordpress default install of package [root@localhost wilcal]# urpmi wordpress Package wordpress-3.9.2-1.mga3.noarch is already installed I can open and run http://localhost/wordpress/ install wordpress from updates_testing [root@localhost wilcal]# urpmi wordpress Package wordpress-3.9.3-1.mga3.noarch is already installed I can open and run http://localhost/wordpress/ Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
CC: (none) => wilcal.intWhiteboard: MGA3TOO MGA3-64-OK MGA4-64-OK => MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-64-OK
In VirtualBox, M4, KDE, 32-bit Package(s) under test: wordpress default install of package [root@localhost wilcal]# urpmi wordpress Package wordpress-3.9.2-1.mga3.noarch is already installed I can open and run http://localhost/wordpress/ install wordpress from updates_testing [root@localhost wilcal]# urpmi wordpress Package wordpress-3.9.3-1.mga4.noarch is already installed I can open and run http://localhost/wordpress/ Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Whiteboard: MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-64-OK => MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK
This update works fine. Testing complete for mga3 32-bit & 64-bit Testing complete for mga4 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push this to updates. Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
David, could you write the advisory for this one?
CC: (none) => remi
CVE request: http://openwall.com/lists/oss-security/2014/11/25/10 CVE assignment: http://openwall.com/lists/oss-security/2014/11/25/12 Advisory: ======================== Updated wordpress package fixes security vulnerabilities: XSS in wptexturize() via comments or posts, exploitable for unauthenticated users (CVE-2014-9031). XSS in media playlists (CVE-2014-9032). CSRF in the password reset process (CVE-2014-9033). Denial of service for giant passwords. The phpass library by Solar Designer was used in both projects without setting a maximum password length, which can lead to CPU exhaustion upon hashing (CVE-2014-9034). XSS in Press This (CVE-2014-9035). XSS in HTML filtering of CSS in posts (CVE-2014-9036). Hash comparison vulnerability in old-style MD5-stored passwords (CVE-2014-9037). SSRF: Safe HTTP requests did not sufficiently block the loopback IP address space (CVE-2014-9038). Previously an email address change would not invalidate a previous password reset email (CVE-2014-9039). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9031 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9032 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9033 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9034 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9035 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9036 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9037 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9038 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9039 https://wordpress.org/news/2014/11/wordpress-4-0-1/ http://openwall.com/lists/oss-security/2014/11/25/12
Advisory uploaded.
Whiteboard: MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK => MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK advisory
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0493.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/623293/