Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform Pro for Linux Pro for Mac OS X Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repository (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 13 Aug 2014 01:47:41 -0400 (EDT)
From: cve-assign@...re.org
To: nacin@...dpress.org
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: WordPress 3.9.2 release - needs CVE's

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>> -Fixes a possible but unlikely code execution when processing widgets
>> (WordPress is not affected by default), discovered by Alex Concha of
>> the WordPress security team.

> This is an unsafe serialization vulnerability. Affected versions 3.9 and
> 3.9.1.
> 
> https://core.trac.wordpress.org/changeset/29389

Use CVE-2014-5203.


>> -Adds protections against brute attacks against CSRF tokens, reported
>> by David Tomaschik of the Google Security Team.

> Same reporter, same same line of code, but two separate issues here. One,
> when building CSRF tokens, the individual pieces were not separated by
> delimiter, so $action + $user_id could have been post_1 + user 23 or post
> 12 + user 3. Second issue: Nonces were not being compared in a
> time-constant manner. Neither are easy to exploit.
> 
> Affected WordPress versions 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4)

> https://core.trac.wordpress.org/changeset/29384

Use CVE-2014-5204.


> https://core.trac.wordpress.org/changeset/29408

Use CVE-2014-5205.


>> -Contains some additional security hardening, like preventing
>> cross-site scripting that could be triggered only by administrators.
>>
>
> XSS: https://core.trac.wordpress.org/changeset/29398

We think this can have a CVE ID only if it allows privilege escalation
from Administrator to Super Admin in a Multisite installation. Does
it? (On other installations, Administrator has the unfiltered_html
capability.)

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJT6vtbAAoJEKllVAevmvmsj50H/0KjAlZw8T7hQEiNypBwZ0Am
9CwHU6rwG2LrsPExN94huJNzTduUoGdb80EyQaYZFjRXhwV0gJbT7/JuvVTgPosk
EOy5inmeyD49fQc2XoZmJtj+Fvq2nT6Eahl7CIeKi6TkmfnAYx56mBCEgQDOTwNE
3ProL0arbJoW/h52i0VaRihnvbH8fu417+mGaRy9yCNK96O7tHnbH769WNsqww4k
TnAcd9pc0eOU1BT0FUM/mt7/sTtCuTmaLo8z8JdKFsGogrp21CoR8LEWK1qaRwGk
t8DXL0kug8qZosFu8CRsPtp9Sytt4ea/P1v+cZNFG5mc0T7pZLCzwQZqWong1kY=
=75KS
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ