oss-sec mailing list archives
Re: CVEs for wordpress 3.4.2 release
From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 13 Sep 2012 01:09:31 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/12/2012 11:49 AM, Andrew Nacin wrote:
On Wed, Sep 12, 2012 at 1:04 PM, Kurt Seifried <kseifried () redhat com> wrote:On 09/12/2012 04:38 AM, Hanno Boeck wrote:I can't find CVEs assigend for the issues fixed in wordpress 3.4.2. http://wordpress.org/news/2012/09/wordpress-3-4-2/ Sadly, the information is quite limited: "Version 3.4.2 also fixes a few security issues and contains some security hardening. The vulnerabilities included potential privilege escalation and a bug that affects multisite installs with untrusted users. These issues were discovered and fixed by the WordPress security team." I suggest assigning two: 1. potential privilege escalation 2. problem with untrusted users on multisite installations unless someone has more information.Can security () wordpress org provide clarification on this please?The second one there is CVE-2012-3383. 3.4.1 remained affected; fixed in 3.4.2. We are more specific on our version pages. From http://codex.wordpress.org/Version_3.4.2: * Fix unfiltered HTML capabilities in multisite (this is CVE-2012-3383) * Fix possible privilege escalation in the Atom Publishing Protocol endpoint
Please use CVE-2012-4421 for this issue.
* Allow operations on network plugins only through the network admin
Please use CVE-2012-4422 for this issue.
Details for the other two:
Thanks for the details
* AtomPub allowed contributors to publish posts, which is normally reserved for users of an author role or higher. This should be considered low risk, low impact. An additional mitigating factor is that AtomPub is off by default and rarely enabled. (In WordPress 3.5, AtomPub will no longer be a part of core.) * For multisite, plugins that must be activated network-wide could be activated by a non-network administrator. This is only if they were already installed by a network administrator, but left inactive. This could also only occur if the network administrator allowed individual site administrators to manage plugins -- by default, this is not the case, and it is rare. Again, not particularly high risk or impact. Regards, Andrew Nacin Lead Developer WordPress
- -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQIcBAEBAgAGBQJQUYarAAoJEBYNRVNeJnmT2roP/0hahIE+kTjQzB2dVeyOR6vK Ro0npwJsEXX3T1+5pJYRWNMuMcblWqF2u76qOzLb5RMmuzYgKgO83C8TeoEh4Ec/ v46bLImZ0d1007Q4tBq0XJSKT84qDCWg4DQRD7uvCA+viamYYtlkSZ98Rm0erMMS IIKq2cvav+WSGrr/Xfl+Q0z0I2nZTQVh8qZ3gxlyvLeIJM8HcxvvYbZWvaPx3GZp 8xn5Hto5w+L3XLnrH0KI10g3svUpiRu9F7pFtdOo0PwWHja+tBkIVLqshCardijC eicgTxwzueKrA6iBUWgazxxkGXH03QvGYSz+3i2uy4InNFF4ygQWM3gOYNfK8M7B ZXNc1x/aeExjXVahkg505bAT7GhzvN4GymzNui8TT92vvGqqWO9k9GNRspwZ6YfT TnpEFAf4I4jSLaSArwnwu68ESLd7vTU42dKhOR/fQtxy7OHSjWfzqm+nBOCyUv0A LViGOn4wYKp+aTD86drDBBGFlshEyGURHRwUAV9twG8xu3fFF8hW5x/zDZ64RCac tt/L5oOgfa0v1QgNfsk/CCs0ey08QHQJZCxQDM2jl3q4T3eHuKKlyVYe+dKcKboH Tp6N3FogISlfsHwRju0K7NHI4ocnVxE8Dp//nRoPblq3ZZ+cbA57Sx2zaumXRVHC lB2EKrwcV1fLmf4PIEab =Z5q5 -----END PGP SIGNATURE-----
Current thread:
- CVEs for wordpress 3.4.2 release Hanno Boeck (Sep 12)
- Re: CVEs for wordpress 3.4.2 release Kurt Seifried (Sep 12)
- Re: CVEs for wordpress 3.4.2 release Andrew Nacin (Sep 12)
- Re: CVEs for wordpress 3.4.2 release Kurt Seifried (Sep 13)
- Re: CVEs for wordpress 3.4.2 release Andrew Nacin (Sep 12)
- Re: CVEs for wordpress 3.4.2 release Yves-Alexis Perez (Sep 13)
- Re: CVEs for wordpress 3.4.2 release Kurt Seifried (Sep 13)
- Re: CVEs for wordpress 3.4.2 release Kurt Seifried (Sep 12)