Date: Wed, 13 Aug 2014 01:47:41 -0400 (EDT) From: cve-assign@...re.org To: nacin@...dpress.org Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: WordPress 3.9.2 release - needs CVE's -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >> -Fixes a possible but unlikely code execution when processing widgets >> (WordPress is not affected by default), discovered by Alex Concha of >> the WordPress security team. > This is an unsafe serialization vulnerability. Affected versions 3.9 and > 3.9.1. > > https://core.trac.wordpress.org/changeset/29389 Use CVE-2014-5203. >> -Adds protections against brute attacks against CSRF tokens, reported >> by David Tomaschik of the Google Security Team. > Same reporter, same same line of code, but two separate issues here. One, > when building CSRF tokens, the individual pieces were not separated by > delimiter, so $action + $user_id could have been post_1 + user 23 or post > 12 + user 3. Second issue: Nonces were not being compared in a > time-constant manner. Neither are easy to exploit. > > Affected WordPress versions 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) > https://core.trac.wordpress.org/changeset/29384 Use CVE-2014-5204. > https://core.trac.wordpress.org/changeset/29408 Use CVE-2014-5205. >> -Contains some additional security hardening, like preventing >> cross-site scripting that could be triggered only by administrators. >> > > XSS: https://core.trac.wordpress.org/changeset/29398 We think this can have a CVE ID only if it allows privilege escalation from Administrator to Super Admin in a Multisite installation. Does it? (On other installations, Administrator has the unfiltered_html capability.) - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJT6vtbAAoJEKllVAevmvmsj50H/0KjAlZw8T7hQEiNypBwZ0Am 9CwHU6rwG2LrsPExN94huJNzTduUoGdb80EyQaYZFjRXhwV0gJbT7/JuvVTgPosk EOy5inmeyD49fQc2XoZmJtj+Fvq2nT6Eahl7CIeKi6TkmfnAYx56mBCEgQDOTwNE 3ProL0arbJoW/h52i0VaRihnvbH8fu417+mGaRy9yCNK96O7tHnbH769WNsqww4k TnAcd9pc0eOU1BT0FUM/mt7/sTtCuTmaLo8z8JdKFsGogrp21CoR8LEWK1qaRwGk t8DXL0kug8qZosFu8CRsPtp9Sytt4ea/P1v+cZNFG5mc0T7pZLCzwQZqWong1kY= =75KS -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.