Upstream has released version 3.9.4 on April 21, fixing several security issues:
Mageia 4 and Mageia 5 are affected.
Updates checked in to Mageia 4 and Cauldron SVN. Freeze push requested.
Steps to Reproduce:
Updated packages uploaded for Mageia 4 and Cauldron.
Updated wordpress packages fixes security vulnerabilities:
The wordpress package has been updated to version 3.9.4, which fixes several
security issues, including a cross-site scripting issue which can be exploited
by remote unauthenticated users.
Updated packages in core/updates_testing:
MGA5TOO, MGA4TOO =>
Testing complete mga4 64
Tested at the same time as the php update in bug 15721
Updated ok and works ok. Confirmed the relevant files from the link in comment 1 had been updated, with rpmdiff..
$ rpmdiff -iT wordpress-3.9.3-1.mga4.noarch.rpm wordpress-3.9.4-1.mga4.noarch.rpm | grep S.5
has_procedure mga4-64-ok =>
has_procedure advisory mga4-64-ok
Testing complete mga4 32
Please push to 4 updates
has_procedure advisory mga4-64-ok =>
has_procedure advisory mga4-64-ok mga4-32-okCC:
An update for this issue has been pushed to Mageia Updates repository.
The issue described in our advisory was assigned CVE-2015-3438, and there was also from the release notes the "very limited cross-site scripting vulnerability could be used as part of a social engineering attack," which was assigned CVE-2015-3439:
wordpress new security issues fixed upstream in 3.9.4 =>
wordpress new security issues fixed upstream in 3.9.4 (CVE-2015-343)