Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sat, 14 Jan 2017 14:24:15 -0500
From: <cve-assign@...re.org>
To: <csmall@...ian.org>
CC: <cve-assign@...re.org>, <oss-security@...ts.openwall.com>
Subject: Re: CVE Request: Wordpress: 8 security issues in 4.7

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
> https://codex.wordpress.org/Version_4.7.1

> Remote code execution (RCE) in PHPMailer - No specific issue appears to
> affect WordPress or any of the major plugins we investigated but, out of an
> abundance of caution, we updated PHPMailer in this release. This issue was
> reported to PHPMailer by Dawid Golunski and Paul Buonopane.
> (this is an extra fix for the CVE-2016-10066 and CVE-2016-10045, I'll
> leave it to you to decide if it is same ID or new)

There is no new CVE ID for this.


> The REST API exposed user data for all users who had authored a post of a
> public post type. WordPress 4.7.1 limits this to only post types which have
> specified that they should be shown within the REST API. Reported by
> Krogsgard and Chris Jean.
> https://github.com/WordPress/WordPress/commit/daf358983cc1ce0c77bf6d2de2ebbb43df2add60
> https://www.wordfence.com/blog/2016/12/wordfence-blocks-username-harvesting-via-new-rest-api-wp-4-7/

Use CVE-2017-5487.


> Cross-site scripting (XSS) via the plugin name or version header on
> update-core.php. Reported by Dominik Schilling of the WordPress Security
> Team.
> https://github.com/WordPress/WordPress/commit/c9ea1de1441bb3bda133bf72d513ca9de66566c2

Use CVE-2017-5488.


> Cross-site request forgery (CSRF) bypass via uploading a Flash file.
> Reported by Abdullah Hussam.

Use CVE-2017-5489.


> Cross-site scripting (XSS) via theme name fallback. Reported by Mehmet Ince.
> https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359
> https://www.mehmetince.net/low-severity-wordpress/

Use CVE-2017-5490.


> Post via email checks mail.example.com if default settings aren't changed.
> Reported by John Blackbourn of the WordPress Security Team.
> https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a

Use CVE-2017-5491.


> A cross-site request forgery (CSRF) was discovered in the accessibility
> mode of widget editing. Reported by Ronnie Skansing.
> https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733

Use CVE-2017-5492.


> Weak cryptographic security for multisite activation key. Reported by Jack.
> https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4

Use CVE-2017-5493.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJYenqIAAoJEHb/MwWLVhi2jUYQAIwBRRej7/Aye/tZr4L3hUuR
Bz3Ynlle4j/dUj9LUKuhpZtN/q0LdOOzQsA/fefiSR4TYEyzDMFDGknG8O8kUNwq
7ZKuLQD6npviVux7BbenXGWSmX4MVG9HFhlhLw8g+qljt172tumo79IO24M1PPeU
H2G8QSb/pMbzVG1l0Aa6ASMBeL44eTdPuuAO7piPIepQXWKRe1e8HIiVti7ThLG3
m/OjwGfelhrXZIGTzJRfD/ikiwaGawdH1MRD8u6y/2Hktcfo46kIeEt6FZdlJHEh
mtxY51eKbLO0QZ9yx4956NO5q6zRsWMRb1yR617rJFfNfY56FdBUf+edk4bykewn
ZqDQycScyXLrrPFR/SGbeCDJ90Bmis4MCby/tTfEy8hRIqWBL/Q0bRdBvcxKNikR
Grtoz/3nhwyU87NMo9ClG8VnihS3Gk0NBxSXN8imzhUqIGZ+FqQMm1842KlgceE6
w//N7ddXYkBOHmooNRFfMwma2YiygxGl0rFP/2f6Y9Px1mSnMo5WQStE7H8b+gDd
Y4YxmhmAwMAd8zLn6WF9Zanw0n1cCNxRQRQtdWYn9x12Gmzl9TCwiOkgwHxmtxMT
oPgLK21quQLwesauJ47ySTKnE4DV6x1yTqlFyt2F1vmFlwl9/fjIgdSAJ/1tNEAN
1uM8IBDty3Mods/JZ9TA
=0oyu
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.