Date: Tue, 4 Aug 2015 14:42:56 -0400 (EDT) From: cve-assign@...re.org To: henri@...v.fi Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE request: WordPress 4.2.3 and earlier multiple vulnerabilities -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > Can I get CVE for WordPress 4.2.3 and earlier multiple vulnerabilities > https://codex.wordpress.org/Version_4.2.4 says: > > "WordPress 4.2.4 fixes three cross-site scripting vulnerabilities and a > potential SQL injection that could be used to compromise a site > (CVE-2015-2213)." The correct parsing of that sentence is like: WordPress 4.2.4 fixes three cross-site scripting vulnerabilities and [a potential SQL injection that could be used to compromise a site (CVE-2015-2213)] not like: [WordPress 4.2.4 fixes three cross-site scripting vulnerabilities and a potential SQL injection that could be used to compromise a site] (CVE-2015-2213) See below for the set of 6 CVE IDs that correspond to the currently available information. > https://core.trac.wordpress.org/changeset/33555 > https://core.trac.wordpress.org/changeset/33556 > "Comments: IDs are integers" Use CVE-2015-2213 only for this SQL injection issue. > https://core.trac.wordpress.org/changeset/33535 > https://core.trac.wordpress.org/changeset/33536 > "Customizer: Use hash_equals() for widgets" aka "a fix for a > potential timing side-channel attack" Use CVE-2015-5730. > https://core.trac.wordpress.org/changeset/33542 > https://core.trac.wordpress.org/changeset/33543 > "Heartbeat: Ensure post locks are released" aka "prevents an attacker > from locking a post from being edited" Use CVE-2015-5731. > cross-site scripting vulnerabilities > https://core.trac.wordpress.org/changeset/33529 > "Nav menus: Consistent titles in widgets" Use CVE-2015-5732. > https://core.trac.wordpress.org/changeset/33540 > https://core.trac.wordpress.org/changeset/33541 > "Nav menus: Adjust redundant titles in accessibility helpers" Use CVE-2015-5733. > https://core.trac.wordpress.org/changeset/33549 > "Themes: Fix some broken links in the legacy theme preview." Use CVE-2015-5734. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJVwQcxAAoJEKllVAevmvmsQg8H/3xFZy/FzLYeOJh9oQS0NmYc gjVMTeiG5eWf+rlw2hHu/caJLNC0lQGJOdhp5IjKmt0YmNA6Uai5WVkK9NtfJQEu 9WdPEWQXiHxf2qenhYZOOUedWDwxxx2B2X6NRbAMsfa61yYS0iyU8/CCXKEb28sn pHMfAO+a7ejhbXE589mrRTBckmKmVWkpNjE/dzKP1CBxroj3AXBfyhzIzSkZ8FRw cfAYY9AfKDYZpxY0BGPF/TuxFq06ptxp+oHcTj6bEAj0F1CmgcprKf44v232X0mR +aLhA6W2dBfMzY2k9MwNhpQznldai0lto/XEjiAA67JqduWoZP87b44Jr7wNKpE= =MlpN -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ