Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 26 Apr 2015 13:30:00 +0200
From: Salvatore Bonaccorso <carnil@...ian.org>
To: OSS Security Mailinglist <oss-security@...ts.openwall.com>
Cc: CVE Assignments MITRE <cve-assign@...re.org>
Subject: Possible CVE Request: Wordpress 4.1.2 security release

Hi

I have not seen a request for CVEs for the issues fixed in the recent
WordPress security release:

https://wordpress.org/news/2015/04/wordpress-4-1-2/

> WordPress 4.1.2 is now available. This is a critical security release
> for all previous versions and we strongly encourage you to update your
> sites immediately.
> 
> WordPress versions 4.1.1 and earlier are affected by a critical cross-
> site scripting vulnerability, which could enable anonymous users to
> compromise a site. This was reported by Cedric Van Bockhaven and fixed
> by Gary Pendergast, Mike Adams, and Andrew Nacin of the WordPress
> security team.
> 
> We also fixed three other security issues:
> 
>  * In WordPress 4.1 and higher, files with invalid or unsafe names
>    could be uploaded. Discovered by Michael Kapfer and Sebastian
>    Kraemer of HSASec.
>  * In WordPress 3.9 and higher, a very limited cross-site scripting
>    vulnerability could be used as part of a social engineering attack.
>    Discovered by Jakub Zoczek.
>  * Some plugins were vulnerable to an SQL injection vulnerability.
>    Discovered by Ben Bidner of the WordPress security team.
> 
> We also made four hardening changes, discovered by J.D. Grimes, Divyesh
> Prajapati, Allan Collins, Marc-Alexandre Montpas and Jeff Bowen.
> 
> We appreciated the responsible disclosure of these issues directly to
> our security team. For more information, see the release notes or
> consult the list of changes.

Could you please assign CVEs to identify the issues fixed by the
latest WordPress release?

Regards,
Salvatore

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ