Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 7 Mar 2017 10:45:35 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security <oss-security@...ts.openwall.com>
Cc: Craig Small <csmall@....com.au>
Subject: Re: CVE Request: Wordpress: 6 security issues in
 Wordpress 4.7 2

So this CVE request raises a good example:

Wordpress needs CVEs for its security flaws. This is a simple fact.

Now ideally the Wordpress team would become a CVE Numbering Authority (CNA)
and cover it themselves, if they would like to do this then they need to
reach out to me as the DWF guy and I can make that happen.

If that doesn't happen then the good news is we have another option now.
Someone can become a CVEMentor and CNA and take over the Wordpress
assignments (well until Wordpress becomes a CNA). So if someone wants to
step up and do this, please contact me as the DWF guy and I can make that
happen.

This is also true for other projects/open source products. We need better
CVE coverage. Ideally these projects/products step up and become CNA's, but
if they cannot (lack of resources/time/etc) that's ok, because now people
with an interest can come forwards and do it.

On Tue, Mar 7, 2017 at 4:16 AM, Emilio Pozuelo Monfort <pochu27@...il.com>
wrote:

> On 07/03/17 11:44, Craig Small wrote:
> > Hello again,
> >  Wordpress 4.7.3 fixes 6 security issues.  Summer of Pwnage has reported
> 2
> > here yesterday but here is the list from the wordpress site.
> >
> > Cross-site scripting (XSS) via media file metadata. Reported by Chris
> Andrè
> > Dale, Yorick Koster, and Simon P. Briggs.
> >
> > Control characters can trick redirect URL validation. Reported by Daniel
> > Chatfield.
> >
> > Unintended files can be deleted by administrators using the plugin
> deletion
> > functionality. Reported by xuliang.
> >
> > Cross-site scripting (XSS) via video URL in YouTube embeds. Reported by
> > Marc Montpas.
> >
> > Cross-site scripting (XSS) via taxonomy term names. Reported by Delta.
> >
> > Cross-site request forgery (CSRF) in Press This leading to excessive use
> of
> > server resources. Reported by Sipke Mellema.
> >
> >
> > Reference:
> > https://wordpress.org/news/2017/03/wordpress-4-7-3-
> security-and-maintenance-release/
>
> Please report these through http://cveform.mitre.org/ to get CVEs
> assigned, and
> follow up here with the CVE identifiers after that's done.
>
> Thanks,
> Emilio
>



-- 

Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@...hat.com

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ