Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 19 Apr 2012 09:56:52 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: Henri Salo <henri@...v.fi>
CC: oss-security@...ts.openwall.com,
        Hanno Böck
 <hanno@...eck.de>,
        Yves-Alexis Perez <corsac@...ian.org>
Subject: Re: CVE-request: WordPress 3.1.1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/19/2012 01:43 AM, Henri Salo wrote:
> On Tue, Apr 17, 2012 at 11:10:27PM -0600, Kurt Seifried wrote:
>> Can you make a clean list of security issues and the versions 
>> affected? Thanks.
> 
> Two issues in 3.1.1 are without 2011 CVE-identifiers, which are
> announced in here:
> http://wordpress.org/news/2011/04/wordpress-3-1-1/ (April 5,
> 2011).
> 
> Issue #1:
> 
> http://osvdb.org/show/osvdb/72141 
> http://secunia.com/advisories/44038/
> 
> "Certain unspecified input is not properly sanitised before being
> returned to the user. This can be exploited to execute arbitrary
> HTML and script code in a user's browser session in context of an
> affected site."

Please use CVE-2011-4956 for this issue.

> Issue #2:
> 
> http://osvdb.org/show/osvdb/72142 
> http://secunia.com/advisories/44038/
> 
> "The "make_clickable()" function in wp-includes/formatting.php does
> not properly check the URL length in comments before passing it to
> the PCRE library, which can be exploited to cause a crash."

Please use CVE-2011-4957 for this issue.

> Both vulnerabilities are reported in versions prior to 3.1.1.
> 
> - Henri Salo


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPkDXDAAoJEBYNRVNeJnmTEkUP/2JcZah+MvvsfkT04zWOGpwO
72szSSSvrLzEyIyJatAVvEjIEI4/q1voaYxBJXWkDAqx2r3v3Ni3Ns2Rd8SLK5Uk
QG7XfUs/aVrW9eQSJ/keD5XSTdmFbA0EwVuEA7/x/N9ODFG8YHW5O8k7sazDlRzp
N7VipPKEa8OqYg/9t6EAFvfIZdkvZ7lS4Nrzgd7j3eT/VnmshU5JLMosdYxbbWol
5VnkEQ8FvhqpCdlRDSGS2kJxrwbhos50ad9aFwQXfMcXNQlENUEogLF1uCVRt5UW
wm7xNeboi+zbiCBfo7BkwiDmsuZhCTHwt5EV4jJ60GDIfY91ode1N3tXt785/li2
EHtwbkO2C2k2vPqNh8pKKHOV9xqAwLhYIN6JqGN1Eywz4xQrVgqzPT6meai5Y8f3
pEeX0hKPT0P/Zq6zK0vpVUN2bHYmSbIRJqOaAWEPFiQ/HnngDflQR8KcnQ7Edbk/
9wWsjZ0raHMuYg3TgI/idLpimj6jNBUDUPzdrfufU4AuihQ79wIhwmpRcKh6sNHu
bgGSxFl/TbSKFknECbgkNDmoxq+RrH7MW3eEsBTeQyRDBW62ZiJikfokYid/kMRn
XxMhQBx7zYfOsOzvh9a+FC2+5scn6uZUDgNUx5Jy/8GeqCLuq2/PqHpSukpZcftF
l1zzfWJ5VEmNwkAp2Hz/
=hp+u
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ