Date: Mon, 16 Nov 2009 16:24:47 -0500 (EST) From: Josh Bressers <bressers@...hat.com> To: oss-security@...ts.openwall.com Subject: Re: CVE request: Wordpress 2.8.6 Let's use these: CVE-2009-3890 wordpress OSVDB 59958 CVE-2009-3891 wordpress OSVDB 59959 Thanks. -- JB ----- "security curmudgeon" <jericho@...rition.org> wrote: > On Sun, 15 Nov 2009, Alex Legler wrote: > > : Wordpress released an update, fixing 2 issues: > : > : "2.8.6 fixes two security problems that can be exploited by > registered, > : logged in users who have posting privileges. If you have untrusted > > : authors on your blog, upgrading to 2.8.6 is recommended. > : > : The first problem is an XSS vulnerability in Press This discovered > by > : Benjamin Flesch. The second problem, discovered by Dawid Golunski, > is > : an issue with sanitizing uploaded file names that can be exploited > in > : certain Apache configurations. Thanks to Benjamin and Dawid for > finding > : and reporting these." > : > : from > : > http://wordpress.org/development/2009/11/wordpress-2-8-6-security-release/ > : > : I believe these are the matching tickets: > : Issue 1: http://core.trac.wordpress.org/ticket/11119 > : Issue 2: http://core.trac.wordpress.org/ticket/11122 > > OSVDB Disclosure Title > > 59958 2009-11-12 WordPress /wp-includes/functions.php > wp_check_filetype() Function File Upload Arbitrary Code Execution > > 59959 2009-11-12 WordPress press-this.php Unspecified XSS
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ