Upstream has announced new versions today (July 23): https://wordpress.org/news/2015/07/wordpress-4-2-3/ The issue was fixed upstream in versions 4.2.3 and 3.9.7: http://codex.wordpress.org/Version_3.9.7 Updated package uploaded for Mageia 4. Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=14625#c4 Advisory: ======================== Updated wordpress packages fixes security vulnerabilities: WordPress versions 4.2.2 and earlier are affected by a cross-site scripting vulnerability, which could allow users with the Contributor or Author role to compromise a site. WordPress versions 4.2.2 and earlier are affected by an issue where it was possible for a user with Subscriber permissions to create a draft through Quick Draft. References: http://codex.wordpress.org/Version_3.9.7 https://wordpress.org/news/2015/07/wordpress-4-2-3/ ======================== Updated packages in core/updates_testing: ======================== wordpress-3.9.7-1.mga4 from wordpress-3.9.7-1.mga4.src.rpm Reproducible: Steps to Reproduce:
Whiteboard: (none) => has_procedure
CVE request: http://openwall.com/lists/oss-security/2015/07/23/15
CVE assignments and more details: http://openwall.com/lists/oss-security/2015/07/23/18 Advisory: ======================== Updated wordpress packages fixes security vulnerabilities: WordPress versions 4.2.2 and earlier are affected by a cross-site scripting vulnerability, which could allow users with the Contributor or Author role to compromise a site (CVE-2015-5622). WordPress versions 4.2.2 and earlier are affected by an issue where it was possible for a user with Subscriber permissions to create a draft through Quick Draft (CVE-2015-5623). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5622 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5623 http://codex.wordpress.org/Version_3.9.7 https://wordpress.org/news/2015/07/wordpress-4-2-3/ http://openwall.com/lists/oss-security/2015/07/23/18
Summary: wordpress new security issue fixed upstream in 3.9.7 => wordpress new security issues fixed upstream in 3.9.7 (CVE-2015-5622 and CVE-2015-5623)
Trying MGA4 x64 Two things. 1] Confused by the difference between Wordpress & Mageia version-IDs.(Description) 2] Silly perhaps, but I need to get past this... Having installed Wordpress OK from released repos, wordpress-3.9.6-1.mga4 and created its DB OK according to instructions, http://localhost/wordpress/ first popped up its 'create config' offer, done OK re its MariaDB database; then went through its 5m setup routine. I naively defined the Wordpress user 'wordpress ' and password for same 'wordpress' - complained about (reasonably) as being weak. The start Blog is present & correct; however, login using these params failed. The link to change password via e-mail all works OK, which I did to something slightly better. Still logins failed. So I repeated the password re-set loop to something better again; *still* unable to login. Noted that the DB collation was 'swedish' (but not the individual tables), apparently the default. Tried changing that to utf8_bin , but still no login. So any suggestions please?
CC: (none) => lewyssmith
The upstream announcement doesn't say it explicitly, but it applies to both the 3.9.7 and 4.2.3 releases. The Mageia 4 package is still using the 3.9.x branch.
(In reply to Lewis Smith from comment #3) > 2] Silly perhaps, but I need to get past this... > The start Blog is present & correct; however, login using these params > failed. The link to change password via e-mail all works OK, which I did to > something slightly better. Still logins failed. So I repeated the password > re-set loop to something better again; *still* unable to login. > Noted that the DB collation was 'swedish' (but not the individual tables), > apparently the default. Tried changing that to utf8_bin , but still no login. > So any suggestions please? No need! I found that the login problem happened using Opera; but trying with Firefox, it works OK. This does not strike me as healthy, even though Opera (12) is now very dated. There is nothing more basic than username/password login fields; surely this should work with *any* browser. I shall try others.
Testing MGA4 x64 Used wordpress-3.9.6-1.mga4 OK. Updated it to wordpress-3.9.7-1.mga4 Played with it a bit. Seemed OK, OK-ing this. BTW The login problem in Comment 3 proved to be *just* Opera (12). Login worked with Firefox, Web & Konqueror.
Whiteboard: has_procedure => has_procedure MGA4-64-OK
Tested mga4-32. Installed on a fresh mga4 installation, created database and installed wp. Created a post and a page, edited. All OK. Validating.
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA4-64-OK => has_procedure MGA4-64-OK mga4-32-okCC: (none) => wrw105, sysadmin-bugs
CC: (none) => davidwhodginsWhiteboard: has_procedure MGA4-64-OK mga4-32-ok => has_procedure MGA4-64-OK mga4-32-ok advisory
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0290.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/652660/