Date: Thu, 13 Sep 2012 01:09:31 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Andrew Nacin <nacin@...dpress.org>, Hanno Boeck <hanno@...eck.de>, security@...dpress.org Subject: Re: CVEs for wordpress 3.4.2 release -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/12/2012 11:49 AM, Andrew Nacin wrote: > On Wed, Sep 12, 2012 at 1:04 PM, Kurt Seifried > <kseifried@...hat.com> wrote: > >> On 09/12/2012 04:38 AM, Hanno Boeck wrote: >>> I can't find CVEs assigend for the issues fixed in wordpress >>> 3.4.2. >>> >>> http://wordpress.org/news/2012/09/wordpress-3-4-2/ >>> >>> >>> Sadly, the information is quite limited: "Version 3.4.2 also >>> fixes a few security issues and contains some security >>> hardening. The vulnerabilities included potential privilege >>> escalation and a bug that affects multisite installs with >>> untrusted users. These issues were discovered and fixed by the >>> WordPress security team." >>> >>> I suggest assigning two: 1. potential privilege escalation 2. >>> problem with untrusted users on multisite installations unless >>> someone has more information. >> >> Can security@...dpress.org provide clarification on this please? > > > The second one there is CVE-2012-3383. 3.4.1 remained affected; > fixed in 3.4.2. > > We are more specific on our version pages. From > http://codex.wordpress.org/Version_3.4.2: > > * Fix unfiltered HTML capabilities in multisite (this is > CVE-2012-3383) * Fix possible privilege escalation in the Atom > Publishing Protocol endpoint Please use CVE-2012-4421 for this issue. > * Allow operations on network plugins only through the network > admin Please use CVE-2012-4422 for this issue. > Details for the other two: Thanks for the details > * AtomPub allowed contributors to publish posts, which is normally > reserved for users of an author role or higher. This should be > considered low risk, low impact. An additional mitigating factor is > that AtomPub is off by default and rarely enabled. (In WordPress > 3.5, AtomPub will no longer be a part of core.) > > * For multisite, plugins that must be activated network-wide could > be activated by a non-network administrator. This is only if they > were already installed by a network administrator, but left > inactive. This could also only occur if the network administrator > allowed individual site administrators to manage plugins -- by > default, this is not the case, and it is rare. Again, not > particularly high risk or impact. > > Regards, > > Andrew Nacin Lead Developer WordPress > - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQIcBAEBAgAGBQJQUYarAAoJEBYNRVNeJnmT2roP/0hahIE+kTjQzB2dVeyOR6vK Ro0npwJsEXX3T1+5pJYRWNMuMcblWqF2u76qOzLb5RMmuzYgKgO83C8TeoEh4Ec/ v46bLImZ0d1007Q4tBq0XJSKT84qDCWg4DQRD7uvCA+viamYYtlkSZ98Rm0erMMS IIKq2cvav+WSGrr/Xfl+Q0z0I2nZTQVh8qZ3gxlyvLeIJM8HcxvvYbZWvaPx3GZp 8xn5Hto5w+L3XLnrH0KI10g3svUpiRu9F7pFtdOo0PwWHja+tBkIVLqshCardijC eicgTxwzueKrA6iBUWgazxxkGXH03QvGYSz+3i2uy4InNFF4ygQWM3gOYNfK8M7B ZXNc1x/aeExjXVahkg505bAT7GhzvN4GymzNui8TT92vvGqqWO9k9GNRspwZ6YfT TnpEFAf4I4jSLaSArwnwu68ESLd7vTU42dKhOR/fQtxy7OHSjWfzqm+nBOCyUv0A LViGOn4wYKp+aTD86drDBBGFlshEyGURHRwUAV9twG8xu3fFF8hW5x/zDZ64RCac tt/L5oOgfa0v1QgNfsk/CCs0ey08QHQJZCxQDM2jl3q4T3eHuKKlyVYe+dKcKboH Tp6N3FogISlfsHwRju0K7NHI4ocnVxE8Dp//nRoPblq3ZZ+cbA57Sx2zaumXRVHC lB2EKrwcV1fLmf4PIEab =Z5q5 -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ