Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 19 Apr 2012 09:56:52 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: Henri Salo <henri@...v.fi>
CC: oss-security@...ts.openwall.com,
        Hanno Böck
 <hanno@...eck.de>,
        Yves-Alexis Perez <corsac@...ian.org>
Subject: Re: CVE-request: WordPress 3.1.1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/19/2012 01:43 AM, Henri Salo wrote:
> On Tue, Apr 17, 2012 at 11:10:27PM -0600, Kurt Seifried wrote:
>> Can you make a clean list of security issues and the versions 
>> affected? Thanks.
> 
> Two issues in 3.1.1 are without 2011 CVE-identifiers, which are
> announced in here:
> http://wordpress.org/news/2011/04/wordpress-3-1-1/ (April 5,
> 2011).
> 
> Issue #1:
> 
> http://osvdb.org/show/osvdb/72141 
> http://secunia.com/advisories/44038/
> 
> "Certain unspecified input is not properly sanitised before being
> returned to the user. This can be exploited to execute arbitrary
> HTML and script code in a user's browser session in context of an
> affected site."

Please use CVE-2011-4956 for this issue.

> Issue #2:
> 
> http://osvdb.org/show/osvdb/72142 
> http://secunia.com/advisories/44038/
> 
> "The "make_clickable()" function in wp-includes/formatting.php does
> not properly check the URL length in comments before passing it to
> the PCRE library, which can be exploited to cause a crash."

Please use CVE-2011-4957 for this issue.

> Both vulnerabilities are reported in versions prior to 3.1.1.
> 
> - Henri Salo


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPkDXDAAoJEBYNRVNeJnmTEkUP/2JcZah+MvvsfkT04zWOGpwO
72szSSSvrLzEyIyJatAVvEjIEI4/q1voaYxBJXWkDAqx2r3v3Ni3Ns2Rd8SLK5Uk
QG7XfUs/aVrW9eQSJ/keD5XSTdmFbA0EwVuEA7/x/N9ODFG8YHW5O8k7sazDlRzp
N7VipPKEa8OqYg/9t6EAFvfIZdkvZ7lS4Nrzgd7j3eT/VnmshU5JLMosdYxbbWol
5VnkEQ8FvhqpCdlRDSGS2kJxrwbhos50ad9aFwQXfMcXNQlENUEogLF1uCVRt5UW
wm7xNeboi+zbiCBfo7BkwiDmsuZhCTHwt5EV4jJ60GDIfY91ode1N3tXt785/li2
EHtwbkO2C2k2vPqNh8pKKHOV9xqAwLhYIN6JqGN1Eywz4xQrVgqzPT6meai5Y8f3
pEeX0hKPT0P/Zq6zK0vpVUN2bHYmSbIRJqOaAWEPFiQ/HnngDflQR8KcnQ7Edbk/
9wWsjZ0raHMuYg3TgI/idLpimj6jNBUDUPzdrfufU4AuihQ79wIhwmpRcKh6sNHu
bgGSxFl/TbSKFknECbgkNDmoxq+RrH7MW3eEsBTeQyRDBW62ZiJikfokYid/kMRn
XxMhQBx7zYfOsOzvh9a+FC2+5scn6uZUDgNUx5Jy/8GeqCLuq2/PqHpSukpZcftF
l1zzfWJ5VEmNwkAp2Hz/
=hp+u
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.