Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 13 Sep 2012 01:09:31 -0600
From: Kurt Seifried <>
CC: Andrew Nacin <>, Hanno Boeck <>,
Subject: Re: CVEs for wordpress 3.4.2 release

Hash: SHA1

On 09/12/2012 11:49 AM, Andrew Nacin wrote:
> On Wed, Sep 12, 2012 at 1:04 PM, Kurt Seifried
> <> wrote:
>> On 09/12/2012 04:38 AM, Hanno Boeck wrote:
>>> I can't find CVEs assigend for the issues fixed in wordpress 
>>> 3.4.2.
>>> Sadly, the information is quite limited: "Version 3.4.2 also
>>> fixes a few security issues and contains some security
>>> hardening. The vulnerabilities included potential privilege
>>> escalation and a bug that affects multisite installs with
>>> untrusted users. These issues were discovered and fixed by the
>>> WordPress security team."
>>> I suggest assigning two: 1. potential privilege escalation 2. 
>>> problem with untrusted users on multisite installations unless 
>>> someone has more information.
>> Can provide clarification on this please?
> The second one there is CVE-2012-3383. 3.4.1 remained affected;
> fixed in 3.4.2.
> We are more specific on our version pages. From 
> * Fix unfiltered HTML capabilities in multisite (this is
> CVE-2012-3383) * Fix possible privilege escalation in the Atom
> Publishing Protocol endpoint

Please use CVE-2012-4421 for this issue.

> * Allow operations on network plugins only through the network
> admin

Please use CVE-2012-4422 for this issue.

> Details for the other two:

Thanks for the details

> * AtomPub allowed contributors to publish posts, which is normally
> reserved for users of an author role or higher. This should be
> considered low risk, low impact. An additional mitigating factor is
> that AtomPub is off by default and rarely enabled. (In WordPress
> 3.5, AtomPub will no longer be a part of core.)
> * For multisite, plugins that must be activated network-wide could
> be activated by a non-network administrator. This is only if they
> were already installed by a network administrator, but left
> inactive. This could also only occur if the network administrator
> allowed individual site administrators to manage plugins -- by
> default, this is not the case, and it is rare. Again, not 
> particularly high risk or impact.
> Regards,
> Andrew Nacin Lead Developer WordPress

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla -


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.