Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 14 Aug 2014 17:32:41 +1000
From: Murray McAllister <mmcallis@...hat.com>
To: oss-security@...ts.openwall.com
Subject: GetID3 CVE-2014-2053 XXE issue [was Re: WordPress
 3.9.2 release - needs CVE's]

>> - -Prevents information disclosure via XML entity attacks in the
>> external GetID3 library, reported by Ivan Novikov of ONSec.
>>
>
> This is an XXE in GetID3, http://getid3.sourceforge.net/. Upstream
> CVE-2014-2053.
> Affected WordPress versions 3.6 - 3.9.1 (except 3.7.4 / 3.8.4)
>
> https://core.trac.wordpress.org/changeset/29390

Thanks Andrew!

For the separate package of GetID3, I think this is the fix:

https://github.com/JamesHeinrich/getID3/commit/dc8549079a24bb0619b6124ef2df767704f8d0bc

Making a separate mail in case anyone else missed CVE-2014-2053.

Cheers,

--
Murray McAllister / Red Hat Product Security

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ