Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 13 Sep 2012 01:09:31 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Andrew Nacin <nacin@...dpress.org>, Hanno Boeck <hanno@...eck.de>,
        security@...dpress.org
Subject: Re: CVEs for wordpress 3.4.2 release

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/12/2012 11:49 AM, Andrew Nacin wrote:
> On Wed, Sep 12, 2012 at 1:04 PM, Kurt Seifried
> <kseifried@...hat.com> wrote:
> 
>> On 09/12/2012 04:38 AM, Hanno Boeck wrote:
>>> I can't find CVEs assigend for the issues fixed in wordpress 
>>> 3.4.2.
>>> 
>>> http://wordpress.org/news/2012/09/wordpress-3-4-2/
>>> 
>>> 
>>> Sadly, the information is quite limited: "Version 3.4.2 also
>>> fixes a few security issues and contains some security
>>> hardening. The vulnerabilities included potential privilege
>>> escalation and a bug that affects multisite installs with
>>> untrusted users. These issues were discovered and fixed by the
>>> WordPress security team."
>>> 
>>> I suggest assigning two: 1. potential privilege escalation 2. 
>>> problem with untrusted users on multisite installations unless 
>>> someone has more information.
>> 
>> Can security@...dpress.org provide clarification on this please?
> 
> 
> The second one there is CVE-2012-3383. 3.4.1 remained affected;
> fixed in 3.4.2.
> 
> We are more specific on our version pages. From 
> http://codex.wordpress.org/Version_3.4.2:
> 
> * Fix unfiltered HTML capabilities in multisite (this is
> CVE-2012-3383) * Fix possible privilege escalation in the Atom
> Publishing Protocol endpoint

Please use CVE-2012-4421 for this issue.

> * Allow operations on network plugins only through the network
> admin

Please use CVE-2012-4422 for this issue.

> Details for the other two:

Thanks for the details

> * AtomPub allowed contributors to publish posts, which is normally
> reserved for users of an author role or higher. This should be
> considered low risk, low impact. An additional mitigating factor is
> that AtomPub is off by default and rarely enabled. (In WordPress
> 3.5, AtomPub will no longer be a part of core.)
> 
> * For multisite, plugins that must be activated network-wide could
> be activated by a non-network administrator. This is only if they
> were already installed by a network administrator, but left
> inactive. This could also only occur if the network administrator
> allowed individual site administrators to manage plugins -- by
> default, this is not the case, and it is rare. Again, not 
> particularly high risk or impact.
> 
> Regards,
> 
> Andrew Nacin Lead Developer WordPress
> 


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJQUYarAAoJEBYNRVNeJnmT2roP/0hahIE+kTjQzB2dVeyOR6vK
Ro0npwJsEXX3T1+5pJYRWNMuMcblWqF2u76qOzLb5RMmuzYgKgO83C8TeoEh4Ec/
v46bLImZ0d1007Q4tBq0XJSKT84qDCWg4DQRD7uvCA+viamYYtlkSZ98Rm0erMMS
IIKq2cvav+WSGrr/Xfl+Q0z0I2nZTQVh8qZ3gxlyvLeIJM8HcxvvYbZWvaPx3GZp
8xn5Hto5w+L3XLnrH0KI10g3svUpiRu9F7pFtdOo0PwWHja+tBkIVLqshCardijC
eicgTxwzueKrA6iBUWgazxxkGXH03QvGYSz+3i2uy4InNFF4ygQWM3gOYNfK8M7B
ZXNc1x/aeExjXVahkg505bAT7GhzvN4GymzNui8TT92vvGqqWO9k9GNRspwZ6YfT
TnpEFAf4I4jSLaSArwnwu68ESLd7vTU42dKhOR/fQtxy7OHSjWfzqm+nBOCyUv0A
LViGOn4wYKp+aTD86drDBBGFlshEyGURHRwUAV9twG8xu3fFF8hW5x/zDZ64RCac
tt/L5oOgfa0v1QgNfsk/CCs0ey08QHQJZCxQDM2jl3q4T3eHuKKlyVYe+dKcKboH
Tp6N3FogISlfsHwRju0K7NHI4ocnVxE8Dp//nRoPblq3ZZ+cbA57Sx2zaumXRVHC
lB2EKrwcV1fLmf4PIEab
=Z5q5
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ