Date: Wed, 13 Aug 2014 01:47:41 -0400 (EDT) From: cve-assign@...re.org To: nacin@...dpress.org Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: WordPress 3.9.2 release - needs CVE's -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >> -Fixes a possible but unlikely code execution when processing widgets >> (WordPress is not affected by default), discovered by Alex Concha of >> the WordPress security team. > This is an unsafe serialization vulnerability. Affected versions 3.9 and > 3.9.1. > > https://core.trac.wordpress.org/changeset/29389 Use CVE-2014-5203. >> -Adds protections against brute attacks against CSRF tokens, reported >> by David Tomaschik of the Google Security Team. > Same reporter, same same line of code, but two separate issues here. One, > when building CSRF tokens, the individual pieces were not separated by > delimiter, so $action + $user_id could have been post_1 + user 23 or post > 12 + user 3. Second issue: Nonces were not being compared in a > time-constant manner. Neither are easy to exploit. > > Affected WordPress versions 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) > https://core.trac.wordpress.org/changeset/29384 Use CVE-2014-5204. > https://core.trac.wordpress.org/changeset/29408 Use CVE-2014-5205. >> -Contains some additional security hardening, like preventing >> cross-site scripting that could be triggered only by administrators. >> > > XSS: https://core.trac.wordpress.org/changeset/29398 We think this can have a CVE ID only if it allows privilege escalation from Administrator to Super Admin in a Multisite installation. Does it? (On other installations, Administrator has the unfiltered_html capability.) - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJT6vtbAAoJEKllVAevmvmsj50H/0KjAlZw8T7hQEiNypBwZ0Am 9CwHU6rwG2LrsPExN94huJNzTduUoGdb80EyQaYZFjRXhwV0gJbT7/JuvVTgPosk EOy5inmeyD49fQc2XoZmJtj+Fvq2nT6Eahl7CIeKi6TkmfnAYx56mBCEgQDOTwNE 3ProL0arbJoW/h52i0VaRihnvbH8fu417+mGaRy9yCNK96O7tHnbH769WNsqww4k TnAcd9pc0eOU1BT0FUM/mt7/sTtCuTmaLo8z8JdKFsGogrp21CoR8LEWK1qaRwGk t8DXL0kug8qZosFu8CRsPtp9Sytt4ea/P1v+cZNFG5mc0T7pZLCzwQZqWong1kY= =75KS -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ