Products Openwall GNU/*/Linux   server OS John the Ripper   password cracker Free & Open Source for any platform Pro for Linux Pro for Mac OS X Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) phpass   password hashing in PHP crypt_blowfish   ditto in C/C++ tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repository (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 13 Aug 2014 01:47:41 -0400 (EDT)
From: cve-assign@...re.org
To: nacin@...dpress.org
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: WordPress 3.9.2 release - needs CVE's

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>> -Fixes a possible but unlikely code execution when processing widgets
>> (WordPress is not affected by default), discovered by Alex Concha of
>> the WordPress security team.

> This is an unsafe serialization vulnerability. Affected versions 3.9 and
> 3.9.1.
> 
> https://core.trac.wordpress.org/changeset/29389

Use CVE-2014-5203.


>> -Adds protections against brute attacks against CSRF tokens, reported
>> by David Tomaschik of the Google Security Team.

> Same reporter, same same line of code, but two separate issues here. One,
> when building CSRF tokens, the individual pieces were not separated by
> delimiter, so $action + $user_id could have been post_1 + user 23 or post
> 12 + user 3. Second issue: Nonces were not being compared in a
> time-constant manner. Neither are easy to exploit.
> 
> Affected WordPress versions 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4)

> https://core.trac.wordpress.org/changeset/29384

Use CVE-2014-5204.


> https://core.trac.wordpress.org/changeset/29408

Use CVE-2014-5205.


>> -Contains some additional security hardening, like preventing
>> cross-site scripting that could be triggered only by administrators.
>>
>
> XSS: https://core.trac.wordpress.org/changeset/29398

We think this can have a CVE ID only if it allows privilege escalation
from Administrator to Super Admin in a Multisite installation. Does
it? (On other installations, Administrator has the unfiltered_html
capability.)

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJT6vtbAAoJEKllVAevmvmsj50H/0KjAlZw8T7hQEiNypBwZ0Am
9CwHU6rwG2LrsPExN94huJNzTduUoGdb80EyQaYZFjRXhwV0gJbT7/JuvVTgPosk
EOy5inmeyD49fQc2XoZmJtj+Fvq2nT6Eahl7CIeKi6TkmfnAYx56mBCEgQDOTwNE
3ProL0arbJoW/h52i0VaRihnvbH8fu417+mGaRy9yCNK96O7tHnbH769WNsqww4k
TnAcd9pc0eOU1BT0FUM/mt7/sTtCuTmaLo8z8JdKFsGogrp21CoR8LEWK1qaRwGk
t8DXL0kug8qZosFu8CRsPtp9Sytt4ea/P1v+cZNFG5mc0T7pZLCzwQZqWong1kY=
=75KS
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ