Re: CVEs for wordpress 3.4.2 release

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/12/2012 11:49 AM, Andrew Nacin wrote:
> On Wed, Sep 12, 2012 at 1:04 PM, Kurt Seifried
> <kseifried () redhat com> wrote:
>
> > On 09/12/2012 04:38 AM, Hanno Boeck wrote:
> > > I can't find CVEs assigend for the issues fixed in wordpress 
> > > 3.4.2.
> > >
> > > http://wordpress.org/news/2012/09/wordpress-3-4-2/
> > >
> > >
> > > Sadly, the information is quite limited: "Version 3.4.2 also
> > > fixes a few security issues and contains some security
> > > hardening. The vulnerabilities included potential privilege
> > > escalation and a bug that affects multisite installs with
> > > untrusted users. These issues were discovered and fixed by the
> > > WordPress security team."
> > >
> > > I suggest assigning two: 1. potential privilege escalation 2. 
> > > problem with untrusted users on multisite installations unless 
> > > someone has more information.
> >
> > Can security () wordpress org provide clarification on this please?
>
>
> The second one there is CVE-2012-3383. 3.4.1 remained affected;
> fixed in 3.4.2.
>
> We are more specific on our version pages. From 
> http://codex.wordpress.org/Version_3.4.2:
>
> * Fix unfiltered HTML capabilities in multisite (this is
> CVE-2012-3383) * Fix possible privilege escalation in the Atom
> Publishing Protocol endpoint

Please use CVE-2012-4421 for this issue.

> * Allow operations on network plugins only through the network
> admin

Please use CVE-2012-4422 for this issue.

> Details for the other two:

Thanks for the details

> * AtomPub allowed contributors to publish posts, which is normally
> reserved for users of an author role or higher. This should be
> considered low risk, low impact. An additional mitigating factor is
> that AtomPub is off by default and rarely enabled. (In WordPress
> 3.5, AtomPub will no longer be a part of core.)
>
> * For multisite, plugins that must be activated network-wide could
> be activated by a non-network administrator. This is only if they
> were already installed by a network administrator, but left
> inactive. This could also only occur if the network administrator
> allowed individual site administrators to manage plugins -- by
> default, this is not the case, and it is rare. Again, not 
> particularly high risk or impact.
>
> Regards,
>
> Andrew Nacin Lead Developer WordPress


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJQUYarAAoJEBYNRVNeJnmT2roP/0hahIE+kTjQzB2dVeyOR6vK
Ro0npwJsEXX3T1+5pJYRWNMuMcblWqF2u76qOzLb5RMmuzYgKgO83C8TeoEh4Ec/
v46bLImZ0d1007Q4tBq0XJSKT84qDCWg4DQRD7uvCA+viamYYtlkSZ98Rm0erMMS
IIKq2cvav+WSGrr/Xfl+Q0z0I2nZTQVh8qZ3gxlyvLeIJM8HcxvvYbZWvaPx3GZp
8xn5Hto5w+L3XLnrH0KI10g3svUpiRu9F7pFtdOo0PwWHja+tBkIVLqshCardijC
eicgTxwzueKrA6iBUWgazxxkGXH03QvGYSz+3i2uy4InNFF4ygQWM3gOYNfK8M7B
ZXNc1x/aeExjXVahkg505bAT7GhzvN4GymzNui8TT92vvGqqWO9k9GNRspwZ6YfT
TnpEFAf4I4jSLaSArwnwu68ESLd7vTU42dKhOR/fQtxy7OHSjWfzqm+nBOCyUv0A
LViGOn4wYKp+aTD86drDBBGFlshEyGURHRwUAV9twG8xu3fFF8hW5x/zDZ64RCac
tt/L5oOgfa0v1QgNfsk/CCs0ey08QHQJZCxQDM2jl3q4T3eHuKKlyVYe+dKcKboH
Tp6N3FogISlfsHwRju0K7NHI4ocnVxE8Dp//nRoPblq3ZZ+cbA57Sx2zaumXRVHC
lB2EKrwcV1fLmf4PIEab
=Z5q5
-----END PGP SIGNATURE-----