Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sun, 26 Apr 2015 13:30:00 +0200
From: Salvatore Bonaccorso <carnil@...ian.org>
To: OSS Security Mailinglist <oss-security@...ts.openwall.com>
Cc: CVE Assignments MITRE <cve-assign@...re.org>
Subject: Possible CVE Request: Wordpress 4.1.2 security release

Hi

I have not seen a request for CVEs for the issues fixed in the recent
WordPress security release:

https://wordpress.org/news/2015/04/wordpress-4-1-2/

> WordPress 4.1.2 is now available. This is a critical security release
> for all previous versions and we strongly encourage you to update your
> sites immediately.
> 
> WordPress versions 4.1.1 and earlier are affected by a critical cross-
> site scripting vulnerability, which could enable anonymous users to
> compromise a site. This was reported by Cedric Van Bockhaven and fixed
> by Gary Pendergast, Mike Adams, and Andrew Nacin of the WordPress
> security team.
> 
> We also fixed three other security issues:
> 
>  * In WordPress 4.1 and higher, files with invalid or unsafe names
>    could be uploaded. Discovered by Michael Kapfer and Sebastian
>    Kraemer of HSASec.
>  * In WordPress 3.9 and higher, a very limited cross-site scripting
>    vulnerability could be used as part of a social engineering attack.
>    Discovered by Jakub Zoczek.
>  * Some plugins were vulnerable to an SQL injection vulnerability.
>    Discovered by Ben Bidner of the WordPress security team.
> 
> We also made four hardening changes, discovered by J.D. Grimes, Divyesh
> Prajapati, Allan Collins, Marc-Alexandre Montpas and Jeff Bowen.
> 
> We appreciated the responsible disclosure of these issues directly to
> our security team. For more information, see the release notes or
> consult the list of changes.

Could you please assign CVEs to identify the issues fixed by the
latest WordPress release?

Regards,
Salvatore

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.