oss-sec mailing list archives
Re: WordPress 4.0.1 Security Release
From: cve-assign () mitre org
Date: Tue, 25 Nov 2014 15:09:56 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
* XSS in wptexturize() via comments or posts. Unauthenticated. Affected versions <= 3.9.2 (except >= 3.8.5 / 3.7.5). Discovered by Jouko Pynnonen.
http://klikki.fi/adv/wordpress.html
Use CVE-2014-9031.
* XSS in media playlists. Affected versions 3.9, 3.9.1, 3.9.2, 4.0. Reported by Jon Cave.
Use CVE-2014-9032.
* CSRF in the password reset process. Affected versions 4.0, 3.9.2, 3.8.4, 3.7.4.
http://core.trac.wordpress.org/changeset/30418
Use CVE-2014-9033.
* Denial of service for giant passwords. This is the same issue as CVE-2014-9016 in Drupal, and was reported by the same individuals to both projects. The phpass library by Solar Designer was used in both projects without setting a maximum password length, which can lead to CPU exhaustion upon hashing. Reported by Javier Nieto Arevalo and Andres Rojas Guerrero.
http://core.trac.wordpress.org/changeset/30467
Use CVE-2014-9034. We consider this distinct from CVE-2014-9016 because the use of a maximum password length can be chosen independently.
* XSS in Press This. Affected versions <= 4.0 (except >= 3.8.5 / 3.7.5 / 3.9.3). Reported by John Blackbourn.
Use CVE-2014-9035.
* XSS in HTML filtering of CSS in posts. Affected versions <= 4.0 (except= 3.8.5 / 3.7.5 / 3.9.3). Reported by Robert Chapin.
Use CVE-2014-9036. (Note that, for the XSS issues, we have used the discoverer information as expressed in the http://openwall.com/lists/oss-security/2014/11/25/10 post -- this is slightly different from the way the discoverer information was expressed in the https://wordpress.org/news/2014/11/wordpress-4-0-1/ announcement.)
* Hash comparison vulnerability in old-style MD5-stored passwords. Affected versions <= 4.0 (except >= 3.8.5 / 3.7.5 / 3.9.3). The WordPress install have once run WordPress < 2.5 (March 29, 2008), the user must not have logged in since the install was updated to >= 2.5, and the user needed to have a password for which the md5 hash was something that could be collided with due to PHP dynamic type comparisons (something like 1 in 170 million). Reported by David Anderson.
Use CVE-2014-9037.
* SSRF: Safe HTTP requests did not sufficiently block the loopback IP address space. Affected versions <= 4.0 (except >= 3.8.5 / 3.7.5 / 3.9.3). Reported by Ben Bidner.
https://core.trac.wordpress.org/changeset/30444
Use CVE-2014-9038.
* Previously an email address change would not invalidate a previous password reset email. Affected versions <= 4.0 (except >= 3.8.5 / 3.7.5 / 3.9.3). WordPress now invalidates this if the user remembers their password, logs in, and changes their email address. Reported by Momen Bassel, Tanoy Bose, and Bojan Slavkovic.
http://core.trac.wordpress.org/changeset/30431
Use CVE-2014-9039. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJUdOGsAAoJEKllVAevmvmst7QIAJtdJNpYCY4mjY+o8DCovdSp q32y8P+xHhcZyiCp7Aac1OARc1Niy4qTBvIKh2kxDjx7wZ7R+mN2cMH/DvgN1zOE pHaj+HumkNCP8yfkh24M4eqViq68RHutIddkT4dZHMU/uGL9Xe3Ba39+c0h5hyGk Dyfb04BEkizvOQIonk3f6H+38S2XupGITt5gpxtHS2NUG9OQeVRcRG744IsdfsoU lx+Qenkqb+yYDX5mq3OfBYgJ+FnBnDyteyO6nJ0+1NNepBCiiwG0LtEHXBKRrpDw OyiUv+MzZfGnnMZ5rWTsg26y5vGPjlF6EiT0MxgpcHLGk/YiY0eUPQi2aagHeeY= =8PCM -----END PGP SIGNATURE-----
Current thread:
- WordPress 4.0.1 Security Release Henri Salo (Nov 20)
- Re: WordPress 4.0.1 Security Release Kurt Seifried (Nov 20)
- Re: WordPress 4.0.1 Security Release Andrew Nacin (Nov 20)
- Re: WordPress 4.0.1 Security Release Andrew Nacin (Nov 25)
- Re: WordPress 4.0.1 Security Release Andrew Nacin (Nov 25)
- Re: WordPress 4.0.1 Security Release cve-assign (Nov 25)
- Re: WordPress 4.0.1 Security Release Andrew Nacin (Nov 20)
- Re: WordPress 4.0.1 Security Release Kurt Seifried (Nov 20)