oss-sec mailing list archives
Re: WordPress 4.2.1 security update - CVE please
From: Alessandro Ghedini <alessandro () ghedini me>
Date: Mon, 27 Apr 2015 21:29:01 +0200
On Mon, Apr 27, 2015 at 09:08:44PM +0200, Salvatore Bonaccorso wrote:
Hi Kurt, On Mon, Apr 27, 2015 at 12:47:58PM -0600, Kurt Seifried wrote:http://codex.wordpress.org/Version_4.2.1 Version 4.2.1 addressed a security issue. For more information, see the release notes. From the announcement post, WordPress 4.2.1 fixes a critical cross-site scripting (XSS) vulnerability, which could enable commenters to compromise a site.Had requested CVEs for this in http://www.openwall.com/lists/oss-security/2015/04/26/2 .
Note that this and your request are about two different wordpress releases (at first I got confused too by the version numbers, 4.1.2 != 4.2.1).
But there is as well a different stored XSS reported http://klikki.fi/adv/wordpress2.html which seems to affect as well the latest wordpress versions (not verified myself).
This blog post seems to be about the same issue fixed in 4.2.1: it talks about comments length when inserted in the database, which is what commit [0] seems to fix (basically the only commit in the 4.2.1 release [1]). Also, both the wordpress announce and the blog post credit the vulnerability discovery to the same person. (All this to say that we need CVEs for both the 4.1.2 and the 4.2.1 releases: they fix different issues). Cheers [0] https://core.trac.wordpress.org/changeset/32307/branches/4.2 [1] https://core.trac.wordpress.org/log/branches/4.2
Attachment:
signature.asc
Description: Digital signature
Current thread:
- WordPress 4.2.1 security update - CVE please Kurt Seifried (Apr 27)
- Re: WordPress 4.2.1 security update - CVE please Salvatore Bonaccorso (Apr 27)
- Re: WordPress 4.2.1 security update - CVE please Alessandro Ghedini (Apr 27)
- Re: WordPress 4.2.1 security update - CVE please Salvatore Bonaccorso (Apr 27)
- Re: WordPress 4.2.1 security update - CVE please Alessandro Ghedini (Apr 27)
- Re: WordPress 4.2.1 security update - CVE please Salvatore Bonaccorso (Apr 27)