Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 19 Apr 2012 10:43:23 +0300
From: Henri Salo <>
Cc: Kurt Seifried <>,
	Hanno Böck <>,
	Yves-Alexis Perez <>
Subject: Re: CVE-request: WordPress 3.1.1

On Tue, Apr 17, 2012 at 11:10:27PM -0600, Kurt Seifried wrote:
> Can you make a clean list of security issues and the versions
> affected? Thanks.

Two issues in 3.1.1 are without 2011 CVE-identifiers, which are announced in here: (April 5, 2011).

Issue #1:

"Certain unspecified input is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site."

Issue #2:

"The "make_clickable()" function in wp-includes/formatting.php does not properly check the URL length in comments before passing it to the PCRE library, which can be exploited to cause a crash."

Both vulnerabilities are reported in versions prior to 3.1.1.

- Henri Salo

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ