Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 7 Aug 2014 00:00:06 -0400
From: Andrew Nacin <>
To: Open Source Security <>
Subject: Re: WordPress 3.9.2 release - needs CVE's

Thanks Kurt, this was next on my to-do list.

On Wed, Aug 6, 2014 at 11:42 PM, Kurt Seifried <> wrote:
> This release fixes a possible denial of service issue in PHP's XML
> processing, reported by Nir Goldshlager of the Product
> Security Team. It was fixed by Michael Adams and Andrew Nacin of the
> WordPress security team and David Rothstein of the Drupal security
> team. This is the first time our two projects have coordinated on
> joint security releases.

Sigh. XML sucks and I somehow doubt many others are doing this right,
either. PHP + libxml makes it pretty much impossible to parse an XML file
safely. The issue was internal entity expansion (quadratic, not
exponential). Not XXE and potentially not all that bad depending on server

Per their security advisory, Drupal submitted a CVE request for this as
well. This is actually a vulnerability in an external library ( We use the library as-is, while they
forked it. (Well, they took the class and broke it into individual
functions — the code was the same and our patches differed only in coding
standards.) Not sure how this should be handled.

For WordPress, this affected versions 1.5 - 3.9.1 (except 3.7.4 / 3.8.4 --
these were branch releases today in addition to 3.9.2).

- -Fixes a possible but unlikely code execution when processing widgets
> (WordPress is not affected by default), discovered by Alex Concha of
> the WordPress security team.

This is an unsafe serialization vulnerability. Affected versions 3.9 and

> - -Prevents information disclosure via XML entity attacks in the
> external GetID3 library, reported by Ivan Novikov of ONSec.

This is an XXE in GetID3, Upstream
Affected WordPress versions 3.6 - 3.9.1 (except 3.7.4 / 3.8.4)

> - -Adds protections against brute attacks against CSRF tokens, reported
> by David Tomaschik of the Google Security Team.

Same reporter, same same line of code, but two separate issues here. One,
when building CSRF tokens, the individual pieces were not separated by
delimiter, so $action + $user_id could have been post_1 + user 23 or post
12 + user 3. Second issue: Nonces were not being compared in a
time-constant manner. Neither are easy to exploit.

Affected WordPress versions 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4)

- -Contains some additional security hardening, like preventing
> cross-site scripting that could be triggered only by administrators.


Affected WordPress versions 2.5 - 3.9.1 (except 3.7.4 / 3.8.4)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.