Date: Wed, 06 Aug 2014 21:42:45 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com Subject: WordPress 3.9.2 release - needs CVE's -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://wordpress.org/news/2014/08/wordpress-3-9-2/ WordPress 3.9.2 is now available as a security release for all previous versions. We strongly encourage you to update your sites immediately. This release fixes a possible denial of service issue in PHP?s XML processing, reported by Nir Goldshlager of the Salesforce.com Product Security Team. It was fixed by Michael Adams and Andrew Nacin of the WordPress security team and David Rothstein of the Drupal security team. This is the first time our two projects have coordinated on joint security releases. WordPress 3.9.2 also contains other security changes: - -Fixes a possible but unlikely code execution when processing widgets (WordPress is not affected by default), discovered by Alex Concha of the WordPress security team. - -Prevents information disclosure via XML entity attacks in the external GetID3 library, reported by Ivan Novikov of ONSec. - -Adds protections against brute attacks against CSRF tokens, reported by David Tomaschik of the Google Security Team. - -Contains some additional security hardening, like preventing cross-site scripting that could be triggered only by administrators. - -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJT4vW1AAoJEBYNRVNeJnmT+A0QAM2EA4lPv2X2GjXrN0vBwd34 t6ZsERENU8NubiJ2hkItzkOo6vMQbU3gBETPApLbh/lpqQ1FttNjujv08jtSvKwq XK8eiXICIHO7XkY1mjiNfjhQqiFpG/r0X6Kr2xmJbOUGjc+WpJ4oik+RMwYz8Ly5 hsKNbUKOj5Umf6XCFr/dDTABSZgXSF52BdD2c6Rdg7jqSk+t+zww6QaqJteCgrcF SUOBFv46aDpQB9/3koCu8xjzwW7lvLIjxIOzHilNPx3HDf5SYffQqsrPpN4IJmTk Ven68s4yNelxSW1cKfIgbN1aNxy8p68cZLzPPkpMcMZ2i0HjSmB7Vjf0bDhuw8XA nds/Oz3L3+86gMs3yjnJ8EnFhLxmqXRvJaR+mJoVbUnw7JZaHgVKdt0LYTUkY3/E sGFGP/6mrG0SDix7HdaV84RxLTL6gLOa68WnkdZFXiQL3dVw4GiJMugHrgI+DWZh 2+wOp2qeqXoguy+RE4yoN2DNs0kRe+MeGYjVhUKoYLfAZ1KEMpnpRvDXqm7OBNXc 8YBSVDfYn3uw2JwpLMHHWbV4wUeuS6GSqlzuFnagrOoEe+oD4kCnMXlnq2r3ZB2a rqHK4zrVjG2NKw4J6U/L6bdxqjVpXg1zQCjWDGQQTYjZeUK79Us5vIeN11qsuM3i vRjxbAWaIGTmkdUXepdQ =88AQ -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ