Date: Thu, 14 Aug 2014 17:32:41 +1000 From: Murray McAllister <mmcallis@...hat.com> To: oss-security@...ts.openwall.com Subject: GetID3 CVE-2014-2053 XXE issue [was Re: WordPress 3.9.2 release - needs CVE's] >> - -Prevents information disclosure via XML entity attacks in the >> external GetID3 library, reported by Ivan Novikov of ONSec. >> > > This is an XXE in GetID3, http://getid3.sourceforge.net/. Upstream > CVE-2014-2053. > Affected WordPress versions 3.6 - 3.9.1 (except 3.7.4 / 3.8.4) > > https://core.trac.wordpress.org/changeset/29390 Thanks Andrew! For the separate package of GetID3, I think this is the fix: https://github.com/JamesHeinrich/getID3/commit/dc8549079a24bb0619b6124ef2df767704f8d0bc Making a separate mail in case anyone else missed CVE-2014-2053. Cheers, -- Murray McAllister / Red Hat Product Security
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ