Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 13 Aug 2014 01:47:41 -0400 (EDT)
From: cve-assign@...re.org
To: nacin@...dpress.org
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: WordPress 3.9.2 release - needs CVE's

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>> -Fixes a possible but unlikely code execution when processing widgets
>> (WordPress is not affected by default), discovered by Alex Concha of
>> the WordPress security team.

> This is an unsafe serialization vulnerability. Affected versions 3.9 and
> 3.9.1.
> 
> https://core.trac.wordpress.org/changeset/29389

Use CVE-2014-5203.


>> -Adds protections against brute attacks against CSRF tokens, reported
>> by David Tomaschik of the Google Security Team.

> Same reporter, same same line of code, but two separate issues here. One,
> when building CSRF tokens, the individual pieces were not separated by
> delimiter, so $action + $user_id could have been post_1 + user 23 or post
> 12 + user 3. Second issue: Nonces were not being compared in a
> time-constant manner. Neither are easy to exploit.
> 
> Affected WordPress versions 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4)

> https://core.trac.wordpress.org/changeset/29384

Use CVE-2014-5204.


> https://core.trac.wordpress.org/changeset/29408

Use CVE-2014-5205.


>> -Contains some additional security hardening, like preventing
>> cross-site scripting that could be triggered only by administrators.
>>
>
> XSS: https://core.trac.wordpress.org/changeset/29398

We think this can have a CVE ID only if it allows privilege escalation
from Administrator to Super Admin in a Multisite installation. Does
it? (On other installations, Administrator has the unfiltered_html
capability.)

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJT6vtbAAoJEKllVAevmvmsj50H/0KjAlZw8T7hQEiNypBwZ0Am
9CwHU6rwG2LrsPExN94huJNzTduUoGdb80EyQaYZFjRXhwV0gJbT7/JuvVTgPosk
EOy5inmeyD49fQc2XoZmJtj+Fvq2nT6Eahl7CIeKi6TkmfnAYx56mBCEgQDOTwNE
3ProL0arbJoW/h52i0VaRihnvbH8fu417+mGaRy9yCNK96O7tHnbH769WNsqww4k
TnAcd9pc0eOU1BT0FUM/mt7/sTtCuTmaLo8z8JdKFsGogrp21CoR8LEWK1qaRwGk
t8DXL0kug8qZosFu8CRsPtp9Sytt4ea/P1v+cZNFG5mc0T7pZLCzwQZqWong1kY=
=75KS
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ