oss-sec mailing list archives
GetID3 CVE-2014-2053 XXE issue [was Re: [oss-security] WordPress 3.9.2 release - needs CVE's]
From: Murray McAllister <mmcallis () redhat com>
Date: Thu, 14 Aug 2014 17:32:41 +1000
- -Prevents information disclosure via XML entity attacks in the external GetID3 library, reported by Ivan Novikov of ONSec.This is an XXE in GetID3, http://getid3.sourceforge.net/. Upstream CVE-2014-2053. Affected WordPress versions 3.6 - 3.9.1 (except 3.7.4 / 3.8.4) https://core.trac.wordpress.org/changeset/29390
Thanks Andrew! For the separate package of GetID3, I think this is the fix: https://github.com/JamesHeinrich/getID3/commit/dc8549079a24bb0619b6124ef2df767704f8d0bc Making a separate mail in case anyone else missed CVE-2014-2053. Cheers, -- Murray McAllister / Red Hat Product Security
Current thread:
- WordPress 3.9.2 release - needs CVE's Kurt Seifried (Aug 06)
- Re: WordPress 3.9.2 release - needs CVE's Andrew Nacin (Aug 06)
- Re: WordPress 3.9.2 release - needs CVE's cve-assign (Aug 12)
- Re: WordPress 3.9.2 release - needs CVE's Andrew Nacin (Aug 13)
- Re: WordPress 3.9.2 release - needs CVE's cve-assign (Aug 13)
- Re: WordPress 3.9.2 release - needs CVE's cve-assign (Aug 12)
- GetID3 CVE-2014-2053 XXE issue [was Re: [oss-security] WordPress 3.9.2 release - needs CVE's] Murray McAllister (Aug 14)
- Re: WordPress 3.9.2 release - needs CVE's Andrew Nacin (Aug 06)