oss-sec mailing list archives
Re: WordPress 4.0.1 Security Release
From: Andrew Nacin <nacin () wordpress org>
Date: Tue, 25 Nov 2014 14:56:33 -0500
On Tue, Nov 25, 2014 at 1:32 PM, Andrew Nacin <nacin () wordpress org> wrote:
* Previously an email address change would not invalidate a previous password reset email. Affected versions <= 4.0 (except >= 3.8.5 / 3.7.5 / 3.9.3). WordPress now invalidates this if the user remembers their password, logs in, and changes their email address. Affected
Editing error. Last bullet should have read: * Previously an email address change would not invalidate a previous password reset email. Affected versions <= 4.0 (except >= 3.8.5 / 3.7.5 / 3.9.3). WordPress now invalidates this if the user remembers their password, logs in, and changes their email address. Reported by Momen Bassel, Tanoy Bose, and Bojan Slavković.
Current thread:
- WordPress 4.0.1 Security Release Henri Salo (Nov 20)
- Re: WordPress 4.0.1 Security Release Kurt Seifried (Nov 20)
- Re: WordPress 4.0.1 Security Release Andrew Nacin (Nov 20)
- Re: WordPress 4.0.1 Security Release Andrew Nacin (Nov 25)
- Re: WordPress 4.0.1 Security Release Andrew Nacin (Nov 25)
- Re: WordPress 4.0.1 Security Release cve-assign (Nov 25)
- Re: WordPress 4.0.1 Security Release Andrew Nacin (Nov 20)
- Re: WordPress 4.0.1 Security Release Kurt Seifried (Nov 20)