Bug 9030 - wordpress new security issues CVE-2013-0235, CVE-2013-0236, and CVE-2013-0237
: wordpress new security issues CVE-2013-0235, CVE-2013-0236, and CVE-2013-0237
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/537250/
: mga2-32-ok mga2-64-ok
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-02-10 19:15 CET by David Walser
Modified: 2013-05-09 12:32 CEST (History)
3 users (show)

See Also:
Source RPM: wordpress-3.4.2-1.mga2.src.rpm
CVE:


Attachments

Description David Walser 2013-02-10 19:15:31 CET
Fedora has issued an advisory on February 1:
http://lists.fedoraproject.org/pipermail/package-announce/2013-February/098476.html

The issues are fixed in 3.5.1, which we updated to already in Cauldron.

We should issue an update for Mageia 2.
Comment 1 Damien Lallement 2013-05-06 11:37:47 CEST
WIP
Comment 2 Damien Lallement 2013-05-06 17:47:53 CEST
Advisory:
-------------
This update of WordPress updates it to 3.5.1 as bug fixes and security release.

Packages:
-------------
wordpress-3.5.1-1.1.mga2

New Suggests:
-------------
N/A

How to test:
-------------
- Install 'wordpress' from 2, configure it.
- Install 'wordpress' from 'update_testing' and check it's still working as expected.
Comment 3 David Walser 2013-05-06 20:34:32 CEST
Thanks Damien!

Advisory:
========================

Updated wordpress package fixes security vulnerabilities:


A server-side request forgery vulnerability and remote port scanning using
pingbacks. This vulnerability, which could potentially be used to expose
information and compromise a site, affects WordPress before 3.5.1
(CVE-2013-0235).

Two instances of cross-site scripting via shortcodes and post content
(CVE-2013-0236).

A cross-site scripting vulnerability in the external library Plupload
(CVE-2013-0237).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0235
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0236
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0237
https://wordpress.org/news/2013/01/wordpress-3-5-1/
http://lists.fedoraproject.org/pipermail/package-announce/2013-February/098476.html
========================

Updated packages in core/updates_testing:
========================
wordpress-3.5.1-1.1.mga2

from wordpress-3.5.1-1.1.mga2.src.rpm
Comment 4 claire robinson 2013-05-07 12:33:11 CEST
Testing complete mga2 32 & 64

Validating

Advisory & srpm in comment 3

Could sysadmin please push from core/updates_testing to core/updates

Thanks!
Comment 5 Thomas Backlund 2013-05-09 12:32:13 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0137

Note You need to log in before you can comment on or make changes to this bug.