Bug 15745 - wordpress new security issues fixed upstream in 3.9.4 (CVE-2015-343[89])
Summary: wordpress new security issues fixed upstream in 3.9.4 (CVE-2015-343[89])
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/642038/
Whiteboard: has_procedure advisory mga4-64-ok mga...
Keywords: validated_update
Depends on:
Reported: 2015-04-22 16:41 CEST by David Walser
Modified: 2015-04-29 16:57 CEST (History)
1 user (show)

See Also:
Source RPM: wordpress-3.9.3-1.mga5.src.rpm
Status comment:


Description David Walser 2015-04-22 16:41:18 CEST
Upstream has released version 3.9.4 on April 21, fixing several security issues:

Mageia 4 and Mageia 5 are affected.

Updates checked in to Mageia 4 and Cauldron SVN.  Freeze push requested.


Steps to Reproduce:
David Walser 2015-04-22 16:41:30 CEST

Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 David Walser 2015-04-24 16:56:29 CEST
Updated packages uploaded for Mageia 4 and Cauldron.

Testing procedure:


Updated wordpress packages fixes security vulnerabilities:

The wordpress package has been updated to version 3.9.4, which fixes several
security issues, including a cross-site scripting issue which can be exploited
by remote unauthenticated users.


Updated packages in core/updates_testing:

from wordpress-3.9.4-1.mga4.src.rpm

Version: Cauldron => 4
Assignee: bugsquad => qa-bugs
Whiteboard: MGA5TOO, MGA4TOO => has_procedure

Comment 2 claire robinson 2015-04-24 17:26:29 CEST
Testing complete mga4 64

Tested at the same time as the php update in bug 15721

Updated ok and works ok. Confirmed the relevant files from the link in comment 1 had been updated, with rpmdiff..

$ rpmdiff -iT wordpress-3.9.3-1.mga4.noarch.rpm wordpress-3.9.4-1.mga4.noarch.rpm | grep S.5
S.5........ /var/www/wordpress/wp-admin/about.php
S.5........ /var/www/wordpress/wp-admin/includes/class-wp-comments-list-table.php
S.5........ /var/www/wordpress/wp-admin/includes/dashboard.php
S.5........ /var/www/wordpress/wp-admin/includes/post.php
S.5........ /var/www/wordpress/wp-admin/includes/template.php
S.5........ /var/www/wordpress/wp-includes/capabilities.php
S.5........ /var/www/wordpress/wp-includes/class-wp-editor.php
S.5........ /var/www/wordpress/wp-includes/formatting.php
S.5........ /var/www/wordpress/wp-includes/js/plupload/plupload.flash.swf
S.5........ /var/www/wordpress/wp-includes/wp-db.php

Whiteboard: has_procedure => has_procedure mga4-64-ok

Comment 3 claire robinson 2015-04-24 17:53:57 CEST
Advisory uploaded.

Whiteboard: has_procedure mga4-64-ok => has_procedure advisory mga4-64-ok

Comment 4 claire robinson 2015-04-25 14:32:50 CEST
Testing complete mga4 32


Please push to 4 updates


Keywords: (none) => validated_update
Whiteboard: has_procedure advisory mga4-64-ok => has_procedure advisory mga4-64-ok mga4-32-ok
CC: (none) => sysadmin-bugs

Comment 5 Mageia Robot 2015-04-25 22:15:49 CEST
An update for this issue has been pushed to Mageia Updates repository.


Resolution: (none) => FIXED

David Walser 2015-04-27 19:27:59 CEST

URL: (none) => http://lwn.net/Vulnerabilities/642038/

Comment 6 David Walser 2015-04-28 00:10:37 CEST
CVE request:
Comment 7 David Walser 2015-04-29 16:57:15 CEST
The issue described in our advisory was assigned CVE-2015-3438, and there was also from the release notes the "very limited cross-site scripting vulnerability could be used as part of a social engineering attack," which was assigned CVE-2015-3439:

Summary: wordpress new security issues fixed upstream in 3.9.4 => wordpress new security issues fixed upstream in 3.9.4 (CVE-2015-343[89])

Note You need to log in before you can comment on or make changes to this bug.