oss-sec mailing list archives
Re: WordPress 4.0.1 Security Release
From: Andrew Nacin <nacin () wordpress org>
Date: Tue, 25 Nov 2014 13:32:58 -0500
CVE request for 9 vulnerabilities fixed in the WordPress security releases on November 20: * XSS in wptexturize() via comments or posts. Unauthnticated. Affected versions <= 3.9.2 (except >= 3.8.5 / 3.7.5). Discovered by Jouko Pynnonen. * XSS in media playlists. Affected versions 3.9, 3.9.1, 3.9.2, 4.0. Reported by Jon Cave. * CSRF in the password reset process. Affected versions 4.0, 3.9.2, 3.8.4, 3.7.4. * Denial of service for giant passwords. This is the same issue as CVE-2014-9016 in Drupal, and was reported by the same individuals to both projects. The phpass library by Solar Designer was used in both projects without setting a maximum password length, which can lead to CPU exhaustion upon hashing. Reported by Javier Nieto Arevalo and Andres Rojas Guerrero. * XSS in Press This. Affected versions <= 4.0 (except >= 3.8.5 / 3.7.5 / 3.9.3). Reported by John Blackbourn. * XSS in HTML filtering of CSS in posts. Affected versions <= 4.0 (except
= 3.8.5 / 3.7.5 / 3.9.3). Reported by Robert Chapin.
* Hash comparison vulnerability in old-style MD5-stored passwords. Affected versions <= 4.0 (except >= 3.8.5 / 3.7.5 / 3.9.3). The WordPress install have once run WordPress < 2.5 (March 29, 2008), the user must not have logged in since the install was updated to >= 2.5, and the user needed to have a password for which the md5 hash was something that could be collided with due to PHP dynamic type comparisons (something like 1 in 170 million). Reported by David Anderson. * SSRF: Safe HTTP requests did not sufficiently block the loopback IP address space. Affected versions <= 4.0 (except >= 3.8.5 / 3.7.5 / 3.9.3). Reported by Ben Bidner. * Previously an email address change would not invalidate a previous password reset email. Affected versions <= 4.0 (except >= 3.8.5 / 3.7.5 / 3.9.3). WordPress now invalidates this if the user remembers their password, logs in, and changes their email address. Affected Andrew Nacin WordPress On Thu, Nov 20, 2014 at 8:17 PM, Andrew Nacin <nacin () wordpress org> wrote:
Nothing yet. I have a request drafted and I'll follow up with it soon. It has the proper details / affected versions etc. On Nov 20, 2014 8:09 PM, "Kurt Seifried" <kseifried () redhat com> wrote:I'm not aware of any being assigned. Andrew? On 20/11/14 01:47 PM, Henri Salo wrote:https://wordpress.org/news/2014/11/wordpress-4-0-1/ WordPress 4.0.1 is now available. This is a critical security releasefor allprevious versions and we strongly encourage you to update your sites immediately. Can I get CVEs for vulnerabilities fixed in this release, thank you. Iam notsure if some or any of these has been requested already. --- Henri Salo-- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Current thread:
- WordPress 4.0.1 Security Release Henri Salo (Nov 20)
- Re: WordPress 4.0.1 Security Release Kurt Seifried (Nov 20)
- Re: WordPress 4.0.1 Security Release Andrew Nacin (Nov 20)
- Re: WordPress 4.0.1 Security Release Andrew Nacin (Nov 25)
- Re: WordPress 4.0.1 Security Release Andrew Nacin (Nov 25)
- Re: WordPress 4.0.1 Security Release cve-assign (Nov 25)
- Re: WordPress 4.0.1 Security Release Andrew Nacin (Nov 20)
- Re: WordPress 4.0.1 Security Release Kurt Seifried (Nov 20)