Date: Thu, 13 Sep 2012 01:09:31 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Andrew Nacin <nacin@...dpress.org>, Hanno Boeck <hanno@...eck.de>, security@...dpress.org Subject: Re: CVEs for wordpress 3.4.2 release -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/12/2012 11:49 AM, Andrew Nacin wrote: > On Wed, Sep 12, 2012 at 1:04 PM, Kurt Seifried > <kseifried@...hat.com> wrote: > >> On 09/12/2012 04:38 AM, Hanno Boeck wrote: >>> I can't find CVEs assigend for the issues fixed in wordpress >>> 3.4.2. >>> >>> http://wordpress.org/news/2012/09/wordpress-3-4-2/ >>> >>> >>> Sadly, the information is quite limited: "Version 3.4.2 also >>> fixes a few security issues and contains some security >>> hardening. The vulnerabilities included potential privilege >>> escalation and a bug that affects multisite installs with >>> untrusted users. These issues were discovered and fixed by the >>> WordPress security team." >>> >>> I suggest assigning two: 1. potential privilege escalation 2. >>> problem with untrusted users on multisite installations unless >>> someone has more information. >> >> Can security@...dpress.org provide clarification on this please? > > > The second one there is CVE-2012-3383. 3.4.1 remained affected; > fixed in 3.4.2. > > We are more specific on our version pages. From > http://codex.wordpress.org/Version_3.4.2: > > * Fix unfiltered HTML capabilities in multisite (this is > CVE-2012-3383) * Fix possible privilege escalation in the Atom > Publishing Protocol endpoint Please use CVE-2012-4421 for this issue. > * Allow operations on network plugins only through the network > admin Please use CVE-2012-4422 for this issue. > Details for the other two: Thanks for the details > * AtomPub allowed contributors to publish posts, which is normally > reserved for users of an author role or higher. This should be > considered low risk, low impact. An additional mitigating factor is > that AtomPub is off by default and rarely enabled. (In WordPress > 3.5, AtomPub will no longer be a part of core.) > > * For multisite, plugins that must be activated network-wide could > be activated by a non-network administrator. This is only if they > were already installed by a network administrator, but left > inactive. This could also only occur if the network administrator > allowed individual site administrators to manage plugins -- by > default, this is not the case, and it is rare. Again, not > particularly high risk or impact. > > Regards, > > Andrew Nacin Lead Developer WordPress > - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQIcBAEBAgAGBQJQUYarAAoJEBYNRVNeJnmT2roP/0hahIE+kTjQzB2dVeyOR6vK Ro0npwJsEXX3T1+5pJYRWNMuMcblWqF2u76qOzLb5RMmuzYgKgO83C8TeoEh4Ec/ v46bLImZ0d1007Q4tBq0XJSKT84qDCWg4DQRD7uvCA+viamYYtlkSZ98Rm0erMMS IIKq2cvav+WSGrr/Xfl+Q0z0I2nZTQVh8qZ3gxlyvLeIJM8HcxvvYbZWvaPx3GZp 8xn5Hto5w+L3XLnrH0KI10g3svUpiRu9F7pFtdOo0PwWHja+tBkIVLqshCardijC eicgTxwzueKrA6iBUWgazxxkGXH03QvGYSz+3i2uy4InNFF4ygQWM3gOYNfK8M7B ZXNc1x/aeExjXVahkg505bAT7GhzvN4GymzNui8TT92vvGqqWO9k9GNRspwZ6YfT TnpEFAf4I4jSLaSArwnwu68ESLd7vTU42dKhOR/fQtxy7OHSjWfzqm+nBOCyUv0A LViGOn4wYKp+aTD86drDBBGFlshEyGURHRwUAV9twG8xu3fFF8hW5x/zDZ64RCac tt/L5oOgfa0v1QgNfsk/CCs0ey08QHQJZCxQDM2jl3q4T3eHuKKlyVYe+dKcKboH Tp6N3FogISlfsHwRju0K7NHI4ocnVxE8Dp//nRoPblq3ZZ+cbA57Sx2zaumXRVHC lB2EKrwcV1fLmf4PIEab =Z5q5 -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.