Date: Sun, 26 Apr 2015 13:30:00 +0200 From: Salvatore Bonaccorso <carnil@...ian.org> To: OSS Security Mailinglist <oss-security@...ts.openwall.com> Cc: CVE Assignments MITRE <cve-assign@...re.org> Subject: Possible CVE Request: Wordpress 4.1.2 security release Hi I have not seen a request for CVEs for the issues fixed in the recent WordPress security release: https://wordpress.org/news/2015/04/wordpress-4-1-2/ > WordPress 4.1.2 is now available. This is a critical security release > for all previous versions and we strongly encourage you to update your > sites immediately. > > WordPress versions 4.1.1 and earlier are affected by a critical cross- > site scripting vulnerability, which could enable anonymous users to > compromise a site. This was reported by Cedric Van Bockhaven and fixed > by Gary Pendergast, Mike Adams, and Andrew Nacin of the WordPress > security team. > > We also fixed three other security issues: > > * In WordPress 4.1 and higher, files with invalid or unsafe names > could be uploaded. Discovered by Michael Kapfer and Sebastian > Kraemer of HSASec. > * In WordPress 3.9 and higher, a very limited cross-site scripting > vulnerability could be used as part of a social engineering attack. > Discovered by Jakub Zoczek. > * Some plugins were vulnerable to an SQL injection vulnerability. > Discovered by Ben Bidner of the WordPress security team. > > We also made four hardening changes, discovered by J.D. Grimes, Divyesh > Prajapati, Allan Collins, Marc-Alexandre Montpas and Jeff Bowen. > > We appreciated the responsible disclosure of these issues directly to > our security team. For more information, see the release notes or > consult the list of changes. Could you please assign CVEs to identify the issues fixed by the latest WordPress release? Regards, Salvatore
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ