Bug 15786 - wordpress new security issue fixed upstream in 3.9.6 (CVE-2015-3440)
Summary: wordpress new security issue fixed upstream in 3.9.6 (CVE-2015-3440)
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/653500/
Whiteboard: has_procedure advisory mga4-64-ok
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2015-04-28 00:11 CEST by David Walser
Modified: 2015-08-04 22:32 CEST (History)
2 users (show)

See Also:
Source RPM: wordpress-3.9.4-1.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2015-04-28 00:11:12 CEST
Another security update for wordpress 4.x came out today, and presumably 3.9.6 will be available soon as well:
http://codex.wordpress.org/Version_3.9.6

There was also version 3.9.5, which fixed a regression introduced in 3.9.4:
http://codex.wordpress.org/Version_3.9.5

We'll need to update Mageia 4 and Mageia 5 again once the 3.9.6 tarball is out.

CVE request:
http://openwall.com/lists/oss-security/2015/04/27/4

A CVE has also been requested for the issue fixed in our previous update (see Bug 15745).

Reproducible: 

Steps to Reproduce:
David Walser 2015-04-28 00:11:24 CEST

Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 David Walser 2015-04-29 16:57:56 CEST
CVE-2015-3440 was assigned (see the bottom of the post):
http://openwall.com/lists/oss-security/2015/04/28/7

Summary: wordpress new security issue fixed upstream in 3.9.6 => wordpress new security issue fixed upstream in 3.9.6 (CVE-2015-3440)

Comment 2 David Walser 2015-05-01 17:58:42 CEST
I contacted upstream and they said they are still working on the 3.9.6 release.
Comment 3 David Walser 2015-05-04 23:48:48 CEST
Dropped from Cauldron as it's unmaintained and was never updated to 4.x.

The 3.9.6 tarball is still not available :o(

Version: Cauldron => 4
Whiteboard: MGA5TOO, MGA4TOO => (none)

Comment 4 David Walser 2015-05-07 12:51:47 CEST
Updated package uploaded for Mageia 4.

Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=14625#c4

Advisory:
========================

Updated wordpress packages fixes security vulnerabilities:

The wordpress package has been updated to version 3.9.6, which fixes multiple
cross-site scripting issues, including CVE-2015-3440, and other bugs.

Note that upstream has advised us that WordPress 3.9.x is no longer supported.
As this package is unmaintained, this may be the last update for this package.
Downloading the latest version from upstream and using that, as well as making
use of its aut-update capability, may be preferrable to using this package.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3440
http://codex.wordpress.org/Version_3.9.5
http://codex.wordpress.org/Version_3.9.6
========================

Updated packages in core/updates_testing:
========================
wordpress-3.9.6-1.mga4

from wordpress-3.9.6-1.mga4.src.rpm

Assignee: bugsquad => qa-bugs

Comment 5 Bill Wilkinson 2015-05-07 14:14:25 CEST
Tested mga4-64.

Update requested database update, which completed without incident.

Added and edited a page, added and modified blog post, added and removed a user.  All OK.

CC: (none) => wrw105
Whiteboard: (none) => has_procedure mga4-64-ok

Comment 6 Bill Wilkinson 2015-05-07 15:16:35 CEST
Just realized this is a noarch package, so...

Validating.  Ready for push when advisory uploaded to svn.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 7 claire robinson 2015-05-08 21:25:39 CEST
Advisory uploaded.

Whiteboard: has_procedure mga4-64-ok => has_procedure advisory mga4-64-ok

Comment 8 Mageia Robot 2015-05-09 01:54:48 CEST
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0202.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 9 David Walser 2015-08-04 22:32:17 CEST
Debian used CVE-2015-3429 for a cross-site scripting issue fixed in this update.  I don't know where they got that CVE from.
https://lists.debian.org/debian-security-announce/2015/msg00224.html

URL: (none) => http://lwn.net/Vulnerabilities/653500/


Note You need to log in before you can comment on or make changes to this bug.