oss-sec mailing list archives
Re: WordPress 3.9.2 release - needs CVE's
From: cve-assign () mitre org
Date: Wed, 13 Aug 2014 01:47:41 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
-Fixes a possible but unlikely code execution when processing widgets (WordPress is not affected by default), discovered by Alex Concha of the WordPress security team.
This is an unsafe serialization vulnerability. Affected versions 3.9 and 3.9.1. https://core.trac.wordpress.org/changeset/29389
Use CVE-2014-5203.
-Adds protections against brute attacks against CSRF tokens, reported by David Tomaschik of the Google Security Team.
Same reporter, same same line of code, but two separate issues here. One, when building CSRF tokens, the individual pieces were not separated by delimiter, so $action + $user_id could have been post_1 + user 23 or post 12 + user 3. Second issue: Nonces were not being compared in a time-constant manner. Neither are easy to exploit. Affected WordPress versions 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4)
https://core.trac.wordpress.org/changeset/29384
Use CVE-2014-5204.
https://core.trac.wordpress.org/changeset/29408
Use CVE-2014-5205.
-Contains some additional security hardening, like preventing cross-site scripting that could be triggered only by administrators.XSS: https://core.trac.wordpress.org/changeset/29398
We think this can have a CVE ID only if it allows privilege escalation from Administrator to Super Admin in a Multisite installation. Does it? (On other installations, Administrator has the unfiltered_html capability.) - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJT6vtbAAoJEKllVAevmvmsj50H/0KjAlZw8T7hQEiNypBwZ0Am 9CwHU6rwG2LrsPExN94huJNzTduUoGdb80EyQaYZFjRXhwV0gJbT7/JuvVTgPosk EOy5inmeyD49fQc2XoZmJtj+Fvq2nT6Eahl7CIeKi6TkmfnAYx56mBCEgQDOTwNE 3ProL0arbJoW/h52i0VaRihnvbH8fu417+mGaRy9yCNK96O7tHnbH769WNsqww4k TnAcd9pc0eOU1BT0FUM/mt7/sTtCuTmaLo8z8JdKFsGogrp21CoR8LEWK1qaRwGk t8DXL0kug8qZosFu8CRsPtp9Sytt4ea/P1v+cZNFG5mc0T7pZLCzwQZqWong1kY= =75KS -----END PGP SIGNATURE-----
Current thread:
- WordPress 3.9.2 release - needs CVE's Kurt Seifried (Aug 06)
- Re: WordPress 3.9.2 release - needs CVE's Andrew Nacin (Aug 06)
- Re: WordPress 3.9.2 release - needs CVE's cve-assign (Aug 12)
- Re: WordPress 3.9.2 release - needs CVE's Andrew Nacin (Aug 13)
- Re: WordPress 3.9.2 release - needs CVE's cve-assign (Aug 13)
- Re: WordPress 3.9.2 release - needs CVE's cve-assign (Aug 12)
- GetID3 CVE-2014-2053 XXE issue [was Re: [oss-security] WordPress 3.9.2 release - needs CVE's] Murray McAllister (Aug 14)
- Re: WordPress 3.9.2 release - needs CVE's Andrew Nacin (Aug 06)