Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <20141125200956.098966C4006@smtpvmsrv1.mitre.org>
Date: Tue, 25 Nov 2014 15:09:56 -0500 (EST)
From: cve-assign@...re.org
To: nacin@...dpress.org
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: WordPress 4.0.1 Security Release

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>  * XSS in wptexturize() via comments or posts. Unauthenticated. Affected
> versions <= 3.9.2 (except >= 3.8.5 / 3.7.5). Discovered by Jouko Pynnonen.

> http://klikki.fi/adv/wordpress.html

Use CVE-2014-9031.


>  * XSS in media playlists. Affected versions 3.9, 3.9.1, 3.9.2, 4.0.
> Reported by Jon Cave.

Use CVE-2014-9032.


>  * CSRF in the password reset process. Affected versions 4.0, 3.9.2, 3.8.4,
> 3.7.4.

> http://core.trac.wordpress.org/changeset/30418

Use CVE-2014-9033.


>  * Denial of service for giant passwords. This is the same issue as
> CVE-2014-9016
> in Drupal, and was reported by the same individuals to both projects. The
> phpass library by Solar Designer was used in both projects without setting
> a maximum password length, which can lead to CPU exhaustion upon hashing.
> Reported by Javier Nieto Arevalo and Andres Rojas Guerrero.

> http://core.trac.wordpress.org/changeset/30467

Use CVE-2014-9034.

We consider this distinct from CVE-2014-9016 because the use of a
maximum password length can be chosen independently.


>  * XSS in Press This. Affected versions <= 4.0 (except >= 3.8.5 / 3.7.5 /
> 3.9.3). Reported by John Blackbourn.

Use CVE-2014-9035.


>  * XSS in HTML filtering of CSS in posts. Affected versions <= 4.0 (except
> >= 3.8.5 / 3.7.5 / 3.9.3). Reported by Robert Chapin.

Use CVE-2014-9036.

(Note that, for the XSS issues, we have used the discoverer
information as expressed in the
http://openwall.com/lists/oss-security/2014/11/25/10 post -- this is
slightly different from the way the discoverer information was
expressed in the https://wordpress.org/news/2014/11/wordpress-4-0-1/
announcement.)


>  * Hash comparison vulnerability in old-style MD5-stored
> passwords. Affected versions <= 4.0 (except >= 3.8.5 / 3.7.5 / 3.9.3). The
> WordPress install have once run WordPress < 2.5 (March 29, 2008), the user
> must not have logged in since the install was updated to >= 2.5, and the
> user needed to have a password for which the md5 hash was something that
> could be collided with due to PHP dynamic type comparisons (something like
> 1 in 170 million). Reported by David Anderson.

Use CVE-2014-9037.


>  * SSRF: Safe HTTP requests did not sufficiently block the loopback IP
> address space. Affected versions <= 4.0 (except >= 3.8.5 / 3.7.5 / 3.9.3).
> Reported by Ben Bidner.

> https://core.trac.wordpress.org/changeset/30444

Use CVE-2014-9038.


> * Previously an email address change would not invalidate a previous
> password reset email.  Affected versions <= 4.0 (except >= 3.8.5 / 3.7.5 /
> 3.9.3). WordPress now invalidates this if the user remembers their
> password, logs in, and changes their email address. Reported by Momen
> Bassel, Tanoy Bose, and Bojan Slavkovic.

> http://core.trac.wordpress.org/changeset/30431

Use CVE-2014-9039.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJUdOGsAAoJEKllVAevmvmst7QIAJtdJNpYCY4mjY+o8DCovdSp
q32y8P+xHhcZyiCp7Aac1OARc1Niy4qTBvIKh2kxDjx7wZ7R+mN2cMH/DvgN1zOE
pHaj+HumkNCP8yfkh24M4eqViq68RHutIddkT4dZHMU/uGL9Xe3Ba39+c0h5hyGk
Dyfb04BEkizvOQIonk3f6H+38S2XupGITt5gpxtHS2NUG9OQeVRcRG744IsdfsoU
lx+Qenkqb+yYDX5mq3OfBYgJ+FnBnDyteyO6nJ0+1NNepBCiiwG0LtEHXBKRrpDw
OyiUv+MzZfGnnMZ5rWTsg26y5vGPjlF6EiT0MxgpcHLGk/YiY0eUPQi2aagHeeY=
=8PCM
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.