Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 25 Nov 2014 13:32:58 -0500
From: Andrew Nacin <nacin@...dpress.org>
To: Kurt Seifried <kseifried@...hat.com>
Cc: Open Source Security <oss-security@...ts.openwall.com>
Subject: Re: WordPress 4.0.1 Security Release

CVE request for 9 vulnerabilities fixed in the WordPress security releases
on November 20:

 * XSS in wptexturize() via comments or posts. Unauthnticated. Affected
versions <= 3.9.2 (except >= 3.8.5 / 3.7.5). Discovered by Jouko Pynnonen.

 * XSS in media playlists. Affected versions 3.9, 3.9.1, 3.9.2, 4.0.
Reported by Jon Cave.

 * CSRF in the password reset process. Affected versions 4.0, 3.9.2, 3.8.4,
3.7.4.

 * Denial of service for giant passwords. This is the same issue as
CVE-2014-9016
in Drupal, and was reported by the same individuals to both projects. The
phpass library by Solar Designer was used in both projects without setting
a maximum password length, which can lead to CPU exhaustion upon hashing.
Reported by Javier Nieto Arevalo and Andres Rojas Guerrero.

 * XSS in Press This. Affected versions <= 4.0 (except >= 3.8.5 / 3.7.5 /
3.9.3). Reported by John Blackbourn.

 * XSS in HTML filtering of CSS in posts. Affected versions <= 4.0 (except
>= 3.8.5 / 3.7.5 / 3.9.3). Reported by Robert Chapin.

 * Hash comparison vulnerability in old-style MD5-stored
passwords. Affected versions <= 4.0 (except >= 3.8.5 / 3.7.5 / 3.9.3). The
WordPress install have once run WordPress < 2.5 (March 29, 2008), the user
must not have logged in since the install was updated to >= 2.5, and the
user needed to have a password for which the md5 hash was something that
could be collided with due to PHP dynamic type comparisons (something like
1 in 170 million). Reported by David Anderson.

 * SSRF: Safe HTTP requests did not sufficiently block the loopback IP
address space. Affected versions <= 4.0 (except >= 3.8.5 / 3.7.5 / 3.9.3).
Reported by Ben Bidner.

 *  Previously an email address change would not invalidate a previous
password reset email.  Affected versions <= 4.0 (except >= 3.8.5 / 3.7.5 /
3.9.3). WordPress now invalidates this if the user remembers their
password, logs in, and changes their email address. Affected

Andrew Nacin
WordPress

On Thu, Nov 20, 2014 at 8:17 PM, Andrew Nacin <nacin@...dpress.org> wrote:

> Nothing yet. I have a request drafted and I'll follow up with it soon. It
> has the proper details / affected versions etc.
> On Nov 20, 2014 8:09 PM, "Kurt Seifried" <kseifried@...hat.com> wrote:
>
>> I'm not aware of any being assigned. Andrew?
>>
>> On 20/11/14 01:47 PM, Henri Salo wrote:
>> > https://wordpress.org/news/2014/11/wordpress-4-0-1/
>> >
>> > WordPress 4.0.1 is now available. This is a critical security release
>> for all
>> > previous versions and we strongly encourage you to update your sites
>> > immediately.
>> >
>> > Can I get CVEs for vulnerabilities fixed in this release, thank you. I
>> am not
>> > sure if some or any of these has been requested already.
>> >
>> > ---
>> > Henri Salo
>> >
>>
>> --
>> Kurt Seifried -- Red Hat -- Product Security -- Cloud
>> PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
>>
>>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.