Upstream has announced new versions today (August 4): https://wordpress.org/news/2015/08/wordpress-4-2-4-security-and-maintenance-release/ The issue was fixed upstream in versions 4.2.4 and 3.9.8: http://codex.wordpress.org/Version_3.9.8 CVE request: http://openwall.com/lists/oss-security/2015/08/04/5 Generic advisory for now, pending CVE assignments. Updated package uploaded for Mageia 4. Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=14625#c4 Advisory: ======================== Updated wordpress packages fixes security vulnerabilities: The wordpress package has been updated to version 3.9.8, fixing multiple security issues and other bugs. See the upstream announcement and release notes for more details. References: http://codex.wordpress.org/Version_3.9.8 https://wordpress.org/news/2015/08/wordpress-4-2-4-security-and-maintenance-release/ ======================== Updated packages in core/updates_testing: ======================== wordpress-3.9.8-1.mga4 from wordpress-3.9.8-1.mga4.src.rpm Reproducible: Steps to Reproduce:
Whiteboard: (none) => has_procedure
The codex page has been updated. Advisory: ======================== Updated wordpress packages fixes security vulnerabilities: The wordpress package has been updated to version 3.9.8, fixing three cross-site scripting issues an an SQL injection issue (CVE-2015-2213), as well as other bugs. See the upstream announcement and release notes for more details. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2213 http://codex.wordpress.org/Version_3.9.8 https://wordpress.org/news/2015/08/wordpress-4-2-4-security-and-maintenance-release/
More CVEs: http://openwall.com/lists/oss-security/2015/08/04/7 Advisory: ======================== Updated wordpress packages fixes security vulnerabilities: The wordpress package has been updated to version 3.9.8, fixing three cross-site scripting issues (CVE-2015-5732, CVE-2015-5733, CVE-2015-5734), a potential timing side-channel attack in Customizer (CVe-2015-5730), an issue in Heartbeat where an attacker could lock a post from being edited (CVE-2015-5731), and an SQL injection issue (CVE-2015-2213), as well as other bugs. See the upstream announcement and release notes for more details. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2213 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5730 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5731 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5732 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5733 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5734 http://codex.wordpress.org/Version_3.9.8 https://wordpress.org/news/2015/08/wordpress-4-2-4-security-and-maintenance-release/ http://openwall.com/lists/oss-security/2015/08/04/7
URL: (none) => http://lwn.net/Vulnerabilities/653870/
Tested on a new install mga4-64. Set up wordpress, wrote a post and a page, edited post and a page, created a user and changed role. All OK. As this is a noarch package, validating.
Keywords: (none) => validated_updateWhiteboard: has_procedure => has_procedure mga4-64-okCC: (none) => wrw105, sysadmin-bugs
CC: (none) => davidwhodginsWhiteboard: has_procedure mga4-64-ok => has_procedure mga4-64-ok advisory
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0309.html
Status: NEW => RESOLVEDResolution: (none) => FIXED