Bug 14625 - wordpress new security issues fixed upstream in 4.0.1
Summary: wordpress new security issues fixed upstream in 4.0.1
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/623293/
Whiteboard: MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-11-20 22:29 CET by David Walser
Modified: 2014-11-28 18:18 CET (History)
4 users (show)

See Also:
Source RPM: wordpress-3.9.2-4.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-11-20 22:29:49 CET
Upstream has announced version 4.0.1 today (November 20):
https://wordpress.org/news/2014/11/wordpress-4-0-1/

CVEs have been requested here:
http://openwall.com/lists/oss-security/2014/11/20/43

Mageia 3 and Mageia 4 are also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2014-11-20 22:29:57 CET

Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 1 David Walser 2014-11-21 21:10:29 CET
Now I see that there is a 3.9.3 release available.  If I'm reading the upstream announcement correctly, it just fixes the one critical XSS issue (which didn't affect 4.0), and the other security issues fixed in 4.0.1 only affected 4.0.

Freeze push requested for Cauldron.

Updated packages uploaded for Mageia 3 and Mageia 4.

Advisory to come later.

Updated packages in core/updates_testing:
========================
wordpress-3.9.3-1.mga3
wordpress-3.9.3-1.mga4

from SRPMS:
wordpress-3.9.3-1.mga3.src.rpm
wordpress-3.9.3-1.mga4.src.rpm

Version: Cauldron => 4
Assignee: bugsquad => qa-bugs
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO

Comment 2 olivier charles 2014-11-22 23:59:48 CET
Testing on Mageia3-64 real HW

Current packages :
----------------
wordpress-3.9.2-1.mga3
Had already an installation and a wordpress blog from previous testing.
Connected to it, made some changes.
OK

Installed update testing package :
--------------------------------

# rpm -q wordpress
wordpress-3.9.3-1.mga3

Could connect to previous blog, make some changes.
Dropped previous wordpress database, 
created a new one, went through new installation,
created new blog, wrote articles, added menus, images, widgets,
changed background, logged out and back in...

All Ok

CC: (none) => olchal
Whiteboard: MGA3TOO => MGA3TOO MGA3-64-OK

Comment 3 olivier charles 2014-11-23 07:44:09 CET
Procedure I used to test wordpress (based on readme.urpmi in rpm showed at installation) :

# urpmi wordpress
# systemctl start mysqld.service
$ mysql -u root -p
MariaDB [(none)]> create database wordpress;
MariaDB [(none)]> create user 'wordpressuser'@'localhost' identified by 'password';
MariaDB [(none)]> grant all on wordpress.* to 'wordpress'@'localhost';
MariaDB [(none)]> exit;

In browser :
http://localhost/wordpress

Completed installation,
Created a blog, created 2 articles, modified 1 article,
added attachment, added widgets, changed preferences,
logged out and in.
Comment 4 olivier charles 2014-11-23 07:51:20 CET
Sorry, error in Comment 3 on MariaDB third line.

Here is modified procedure :

Procedure I used to test wordpress (based on readme.urpmi in rpm showed at installation) :

# urpmi wordpress
# systemctl start mysqld.service
$ mysql -u root -p
MariaDB [(none)]> create database wordpress;
MariaDB [(none)]> create user 'wordpressuser'@'localhost' identified by 'password';
MariaDB [(none)]> grant all on wordpress.* to 'wordpressuser'@'localhost';
MariaDB [(none)]> exit;


If needed, wordpress base configuration can be found here :
/var/www/wordpress/wp-config.php
(I had to change manually database user from a previous installation)

In browser :
http://localhost/wordpress


Completed installation,
Created a blog, created 2 articles, modified 1 article,
added attachment, added widgets, changed preferences,
logged out and in.
Comment 5 olivier charles 2014-11-23 11:14:14 CET
Testing on Mageia4-64 real HW

Followed same procedure (comment 4)

with :

Current package :
---------------
# rpm -q wordpress
wordpress-3.9.2-1.mga4

then :

Updated testing package :
-----------------------
# rpm -q wordpress
wordpress-3.9.3-1.mga4

All OK

Whiteboard: MGA3TOO MGA3-64-OK => MGA3TOO MGA3-64-OK MGA4-64-OK

Comment 6 William Kenney 2014-11-25 02:57:00 CET
In VirtualBox, M3, KDE, 32-bit

Package(s) under test:
wordpress

default install of package

[root@localhost wilcal]# urpmi wordpress
Package wordpress-3.9.2-1.mga3.noarch is already installed

I can open and run http://localhost/wordpress/

install wordpress from updates_testing

[root@localhost wilcal]# urpmi wordpress
Package wordpress-3.9.3-1.mga3.noarch is already installed

I can open and run http://localhost/wordpress/

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

CC: (none) => wilcal.int
Whiteboard: MGA3TOO MGA3-64-OK MGA4-64-OK => MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-64-OK

Comment 7 William Kenney 2014-11-25 03:10:31 CET
In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
wordpress

default install of package

[root@localhost wilcal]# urpmi wordpress
Package wordpress-3.9.2-1.mga3.noarch is already installed

I can open and run http://localhost/wordpress/

install wordpress from updates_testing

[root@localhost wilcal]# urpmi wordpress
Package wordpress-3.9.3-1.mga4.noarch is already installed

I can open and run http://localhost/wordpress/

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

Whiteboard: MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-64-OK => MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK

Comment 8 William Kenney 2014-11-25 03:11:13 CET
This update works fine.
Testing complete for mga3 32-bit & 64-bit
Testing complete for mga4 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push this to updates.
Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 9 Rémi Verschelde 2014-11-25 12:14:42 CET
David, could you write the advisory for this one?

CC: (none) => remi

Comment 10 David Walser 2014-11-25 21:34:47 CET
CVE request:
http://openwall.com/lists/oss-security/2014/11/25/10

CVE assignment:
http://openwall.com/lists/oss-security/2014/11/25/12

Advisory:
========================

Updated wordpress package fixes security vulnerabilities:

XSS in wptexturize() via comments or posts, exploitable for unauthenticated users (CVE-2014-9031).

XSS in media playlists (CVE-2014-9032).

CSRF in the password reset process (CVE-2014-9033).

Denial of service for giant passwords. The phpass library by Solar Designer
was used in both projects without setting a maximum password length, which
can lead to CPU exhaustion upon hashing (CVE-2014-9034).

XSS in Press This (CVE-2014-9035).

XSS in HTML filtering of CSS in posts (CVE-2014-9036).

Hash comparison vulnerability in old-style MD5-stored passwords
(CVE-2014-9037).

SSRF: Safe HTTP requests did not sufficiently block the loopback IP address
space (CVE-2014-9038).

Previously an email address change would not invalidate a previous password
reset email (CVE-2014-9039).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9031
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9032
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9033
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9034
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9035
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9036
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9037
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9038
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9039
https://wordpress.org/news/2014/11/wordpress-4-0-1/
http://openwall.com/lists/oss-security/2014/11/25/12
Comment 11 Rémi Verschelde 2014-11-26 13:01:33 CET
Advisory uploaded.
Rémi Verschelde 2014-11-26 13:11:02 CET

Whiteboard: MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK => MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK advisory

Comment 12 Mageia Robot 2014-11-26 18:30:18 CET
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0493.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2014-11-28 18:18:44 CET

URL: (none) => http://lwn.net/Vulnerabilities/623293/


Note You need to log in before you can comment on or make changes to this bug.