Upstream has released version 3.9.4 on April 21, fixing several security issues: http://codex.wordpress.org/Version_3.9.4 Mageia 4 and Mageia 5 are affected. Updates checked in to Mageia 4 and Cauldron SVN. Freeze push requested. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO, MGA4TOO
Updated packages uploaded for Mageia 4 and Cauldron. Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=14625#c4 Advisory: ======================== Updated wordpress packages fixes security vulnerabilities: The wordpress package has been updated to version 3.9.4, which fixes several security issues, including a cross-site scripting issue which can be exploited by remote unauthenticated users. References: http://codex.wordpress.org/Version_3.9.4 ======================== Updated packages in core/updates_testing: ======================== wordpress-3.9.4-1.mga4 from wordpress-3.9.4-1.mga4.src.rpm
Version: Cauldron => 4Assignee: bugsquad => qa-bugsWhiteboard: MGA5TOO, MGA4TOO => has_procedure
Testing complete mga4 64 Tested at the same time as the php update in bug 15721 Updated ok and works ok. Confirmed the relevant files from the link in comment 1 had been updated, with rpmdiff.. $ rpmdiff -iT wordpress-3.9.3-1.mga4.noarch.rpm wordpress-3.9.4-1.mga4.noarch.rpm | grep S.5 S.5........ /var/www/wordpress/wp-admin/about.php S.5........ /var/www/wordpress/wp-admin/includes/class-wp-comments-list-table.php S.5........ /var/www/wordpress/wp-admin/includes/dashboard.php S.5........ /var/www/wordpress/wp-admin/includes/post.php S.5........ /var/www/wordpress/wp-admin/includes/template.php S.5........ /var/www/wordpress/wp-includes/capabilities.php S.5........ /var/www/wordpress/wp-includes/class-wp-editor.php S.5........ /var/www/wordpress/wp-includes/formatting.php S.5........ /var/www/wordpress/wp-includes/js/plupload/plupload.flash.swf S.5........ /var/www/wordpress/wp-includes/wp-db.php
Whiteboard: has_procedure => has_procedure mga4-64-ok
Advisory uploaded.
Whiteboard: has_procedure mga4-64-ok => has_procedure advisory mga4-64-ok
Testing complete mga4 32 Validating. Please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure advisory mga4-64-ok => has_procedure advisory mga4-64-ok mga4-32-okCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0170.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/642038/
CVE request: http://openwall.com/lists/oss-security/2015/04/26/2
The issue described in our advisory was assigned CVE-2015-3438, and there was also from the release notes the "very limited cross-site scripting vulnerability could be used as part of a social engineering attack," which was assigned CVE-2015-3439: http://openwall.com/lists/oss-security/2015/04/28/7
Summary: wordpress new security issues fixed upstream in 3.9.4 => wordpress new security issues fixed upstream in 3.9.4 (CVE-2015-343[89])