Date: Tue, 7 Mar 2017 10:45:35 -0700 From: Kurt Seifried <kseifried@...hat.com> To: oss-security <oss-security@...ts.openwall.com> Cc: Craig Small <csmall@....com.au> Subject: Re: CVE Request: Wordpress: 6 security issues in Wordpress 4.7 2 So this CVE request raises a good example: Wordpress needs CVEs for its security flaws. This is a simple fact. Now ideally the Wordpress team would become a CVE Numbering Authority (CNA) and cover it themselves, if they would like to do this then they need to reach out to me as the DWF guy and I can make that happen. If that doesn't happen then the good news is we have another option now. Someone can become a CVEMentor and CNA and take over the Wordpress assignments (well until Wordpress becomes a CNA). So if someone wants to step up and do this, please contact me as the DWF guy and I can make that happen. This is also true for other projects/open source products. We need better CVE coverage. Ideally these projects/products step up and become CNA's, but if they cannot (lack of resources/time/etc) that's ok, because now people with an interest can come forwards and do it. On Tue, Mar 7, 2017 at 4:16 AM, Emilio Pozuelo Monfort <pochu27@...il.com> wrote: > On 07/03/17 11:44, Craig Small wrote: > > Hello again, > > Wordpress 4.7.3 fixes 6 security issues. Summer of Pwnage has reported > 2 > > here yesterday but here is the list from the wordpress site. > > > > Cross-site scripting (XSS) via media file metadata. Reported by Chris > Andrè > > Dale, Yorick Koster, and Simon P. Briggs. > > > > Control characters can trick redirect URL validation. Reported by Daniel > > Chatfield. > > > > Unintended files can be deleted by administrators using the plugin > deletion > > functionality. Reported by xuliang. > > > > Cross-site scripting (XSS) via video URL in YouTube embeds. Reported by > > Marc Montpas. > > > > Cross-site scripting (XSS) via taxonomy term names. Reported by Delta. > > > > Cross-site request forgery (CSRF) in Press This leading to excessive use > of > > server resources. Reported by Sipke Mellema. > > > > > > Reference: > > https://wordpress.org/news/2017/03/wordpress-4-7-3- > security-and-maintenance-release/ > > Please report these through http://cveform.mitre.org/ to get CVEs > assigned, and > follow up here with the CVE identifiers after that's done. > > Thanks, > Emilio > -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 Red Hat Product Security contact: secalert@...hat.com
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ