Another security update for wordpress 4.x came out today, and presumably 3.9.6 will be available soon as well: http://codex.wordpress.org/Version_3.9.6 There was also version 3.9.5, which fixed a regression introduced in 3.9.4: http://codex.wordpress.org/Version_3.9.5 We'll need to update Mageia 4 and Mageia 5 again once the 3.9.6 tarball is out. CVE request: http://openwall.com/lists/oss-security/2015/04/27/4 A CVE has also been requested for the issue fixed in our previous update (see Bug 15745). Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO, MGA4TOO
CVE-2015-3440 was assigned (see the bottom of the post): http://openwall.com/lists/oss-security/2015/04/28/7
Summary: wordpress new security issue fixed upstream in 3.9.6 => wordpress new security issue fixed upstream in 3.9.6 (CVE-2015-3440)
I contacted upstream and they said they are still working on the 3.9.6 release.
Dropped from Cauldron as it's unmaintained and was never updated to 4.x. The 3.9.6 tarball is still not available :o(
Version: Cauldron => 4Whiteboard: MGA5TOO, MGA4TOO => (none)
Updated package uploaded for Mageia 4. Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=14625#c4 Advisory: ======================== Updated wordpress packages fixes security vulnerabilities: The wordpress package has been updated to version 3.9.6, which fixes multiple cross-site scripting issues, including CVE-2015-3440, and other bugs. Note that upstream has advised us that WordPress 3.9.x is no longer supported. As this package is unmaintained, this may be the last update for this package. Downloading the latest version from upstream and using that, as well as making use of its aut-update capability, may be preferrable to using this package. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3440 http://codex.wordpress.org/Version_3.9.5 http://codex.wordpress.org/Version_3.9.6 ======================== Updated packages in core/updates_testing: ======================== wordpress-3.9.6-1.mga4 from wordpress-3.9.6-1.mga4.src.rpm
Assignee: bugsquad => qa-bugs
Tested mga4-64. Update requested database update, which completed without incident. Added and edited a page, added and modified blog post, added and removed a user. All OK.
CC: (none) => wrw105Whiteboard: (none) => has_procedure mga4-64-ok
Just realized this is a noarch package, so... Validating. Ready for push when advisory uploaded to svn.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Advisory uploaded.
Whiteboard: has_procedure mga4-64-ok => has_procedure advisory mga4-64-ok
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0202.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
Debian used CVE-2015-3429 for a cross-site scripting issue fixed in this update. I don't know where they got that CVE from. https://lists.debian.org/debian-security-announce/2015/msg00224.html
URL: (none) => http://lwn.net/Vulnerabilities/653500/