Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 13 Sep 2012 01:09:31 -0600
From: Kurt Seifried <>
CC: Andrew Nacin <>, Hanno Boeck <>,
Subject: Re: CVEs for wordpress 3.4.2 release

Hash: SHA1

On 09/12/2012 11:49 AM, Andrew Nacin wrote:
> On Wed, Sep 12, 2012 at 1:04 PM, Kurt Seifried
> <> wrote:
>> On 09/12/2012 04:38 AM, Hanno Boeck wrote:
>>> I can't find CVEs assigend for the issues fixed in wordpress 
>>> 3.4.2.
>>> Sadly, the information is quite limited: "Version 3.4.2 also
>>> fixes a few security issues and contains some security
>>> hardening. The vulnerabilities included potential privilege
>>> escalation and a bug that affects multisite installs with
>>> untrusted users. These issues were discovered and fixed by the
>>> WordPress security team."
>>> I suggest assigning two: 1. potential privilege escalation 2. 
>>> problem with untrusted users on multisite installations unless 
>>> someone has more information.
>> Can provide clarification on this please?
> The second one there is CVE-2012-3383. 3.4.1 remained affected;
> fixed in 3.4.2.
> We are more specific on our version pages. From 
> * Fix unfiltered HTML capabilities in multisite (this is
> CVE-2012-3383) * Fix possible privilege escalation in the Atom
> Publishing Protocol endpoint

Please use CVE-2012-4421 for this issue.

> * Allow operations on network plugins only through the network
> admin

Please use CVE-2012-4422 for this issue.

> Details for the other two:

Thanks for the details

> * AtomPub allowed contributors to publish posts, which is normally
> reserved for users of an author role or higher. This should be
> considered low risk, low impact. An additional mitigating factor is
> that AtomPub is off by default and rarely enabled. (In WordPress
> 3.5, AtomPub will no longer be a part of core.)
> * For multisite, plugins that must be activated network-wide could
> be activated by a non-network administrator. This is only if they
> were already installed by a network administrator, but left
> inactive. This could also only occur if the network administrator
> allowed individual site administrators to manage plugins -- by
> default, this is not the case, and it is rare. Again, not 
> particularly high risk or impact.
> Regards,
> Andrew Nacin Lead Developer WordPress

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla -


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ