Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 16 Nov 2009 16:24:47 -0500 (EST)
From: Josh Bressers <bressers@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request: Wordpress 2.8.6

Let's use these:

CVE-2009-3890 wordpress OSVDB 59958
CVE-2009-3891 wordpress OSVDB 59959

Thanks.

-- 
    JB

----- "security curmudgeon" <jericho@...rition.org> wrote:

> On Sun, 15 Nov 2009, Alex Legler wrote:
> 
> : Wordpress released an update, fixing 2 issues:
> : 
> : "2.8.6 fixes two security problems that can be exploited by
> registered, 
> : logged in users who have posting privileges.  If you have untrusted
> 
> : authors on your blog, upgrading to 2.8.6 is recommended.
> : 
> : The first problem is an XSS vulnerability in Press This discovered
> by 
> : Benjamin Flesch.  The second problem, discovered by Dawid Golunski,
> is 
> : an issue with sanitizing uploaded file names that can be exploited
> in 
> : certain Apache configurations. Thanks to Benjamin and Dawid for
> finding 
> : and reporting these."
> : 
> : from
> :
> http://wordpress.org/development/2009/11/wordpress-2-8-6-security-release/
> : 
> : I believe these are the matching tickets:
> : Issue 1: http://core.trac.wordpress.org/ticket/11119
> : Issue 2: http://core.trac.wordpress.org/ticket/11122
> 
> OSVDB   Disclosure              Title
> 
> 59958 	2009-11-12 		WordPress /wp-includes/functions.php
> wp_check_filetype() Function File Upload Arbitrary Code Execution 
> 
> 59959 	2009-11-12 		WordPress press-this.php Unspecified XSS

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ