Date: Tue, 25 Nov 2014 15:09:56 -0500 (EST) From: cve-assign@...re.org To: nacin@...dpress.org Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: WordPress 4.0.1 Security Release -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > * XSS in wptexturize() via comments or posts. Unauthenticated. Affected > versions <= 3.9.2 (except >= 3.8.5 / 3.7.5). Discovered by Jouko Pynnonen. > http://klikki.fi/adv/wordpress.html Use CVE-2014-9031. > * XSS in media playlists. Affected versions 3.9, 3.9.1, 3.9.2, 4.0. > Reported by Jon Cave. Use CVE-2014-9032. > * CSRF in the password reset process. Affected versions 4.0, 3.9.2, 3.8.4, > 3.7.4. > http://core.trac.wordpress.org/changeset/30418 Use CVE-2014-9033. > * Denial of service for giant passwords. This is the same issue as > CVE-2014-9016 > in Drupal, and was reported by the same individuals to both projects. The > phpass library by Solar Designer was used in both projects without setting > a maximum password length, which can lead to CPU exhaustion upon hashing. > Reported by Javier Nieto Arevalo and Andres Rojas Guerrero. > http://core.trac.wordpress.org/changeset/30467 Use CVE-2014-9034. We consider this distinct from CVE-2014-9016 because the use of a maximum password length can be chosen independently. > * XSS in Press This. Affected versions <= 4.0 (except >= 3.8.5 / 3.7.5 / > 3.9.3). Reported by John Blackbourn. Use CVE-2014-9035. > * XSS in HTML filtering of CSS in posts. Affected versions <= 4.0 (except > >= 3.8.5 / 3.7.5 / 3.9.3). Reported by Robert Chapin. Use CVE-2014-9036. (Note that, for the XSS issues, we have used the discoverer information as expressed in the http://openwall.com/lists/oss-security/2014/11/25/10 post -- this is slightly different from the way the discoverer information was expressed in the https://wordpress.org/news/2014/11/wordpress-4-0-1/ announcement.) > * Hash comparison vulnerability in old-style MD5-stored > passwords. Affected versions <= 4.0 (except >= 3.8.5 / 3.7.5 / 3.9.3). The > WordPress install have once run WordPress < 2.5 (March 29, 2008), the user > must not have logged in since the install was updated to >= 2.5, and the > user needed to have a password for which the md5 hash was something that > could be collided with due to PHP dynamic type comparisons (something like > 1 in 170 million). Reported by David Anderson. Use CVE-2014-9037. > * SSRF: Safe HTTP requests did not sufficiently block the loopback IP > address space. Affected versions <= 4.0 (except >= 3.8.5 / 3.7.5 / 3.9.3). > Reported by Ben Bidner. > https://core.trac.wordpress.org/changeset/30444 Use CVE-2014-9038. > * Previously an email address change would not invalidate a previous > password reset email. Affected versions <= 4.0 (except >= 3.8.5 / 3.7.5 / > 3.9.3). WordPress now invalidates this if the user remembers their > password, logs in, and changes their email address. Reported by Momen > Bassel, Tanoy Bose, and Bojan Slavkovic. > http://core.trac.wordpress.org/changeset/30431 Use CVE-2014-9039. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJUdOGsAAoJEKllVAevmvmst7QIAJtdJNpYCY4mjY+o8DCovdSp q32y8P+xHhcZyiCp7Aac1OARc1Niy4qTBvIKh2kxDjx7wZ7R+mN2cMH/DvgN1zOE pHaj+HumkNCP8yfkh24M4eqViq68RHutIddkT4dZHMU/uGL9Xe3Ba39+c0h5hyGk Dyfb04BEkizvOQIonk3f6H+38S2XupGITt5gpxtHS2NUG9OQeVRcRG744IsdfsoU lx+Qenkqb+yYDX5mq3OfBYgJ+FnBnDyteyO6nJ0+1NNepBCiiwG0LtEHXBKRrpDw OyiUv+MzZfGnnMZ5rWTsg26y5vGPjlF6EiT0MxgpcHLGk/YiY0eUPQi2aagHeeY= =8PCM -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.