1 |
davidwhodgins |
116 |
type: security |
2 |
|
|
subject: Updated wordpress package fixes security vulnerabilities |
3 |
|
|
CVE: |
4 |
|
|
- CVE-2013-2173 |
5 |
|
|
- CVE-2013-2199 |
6 |
|
|
- CVE-2013-2200 |
7 |
|
|
- CVE-2013-2201 |
8 |
|
|
- CVE-2013-2202 |
9 |
|
|
- CVE-2013-2203 |
10 |
|
|
- CVE-2013-2204 |
11 |
|
|
- CVE-2013-2205 |
12 |
|
|
src: |
13 |
|
|
2: |
14 |
|
|
core: |
15 |
|
|
- wordpress-3.5.2-1.mga2 |
16 |
|
|
3: |
17 |
|
|
core: |
18 |
|
|
- wordpress-3.5.2-1.mga3 |
19 |
|
|
description: | |
20 |
|
|
A denial of service flaw was found in the way Wordpress, a blog tool and |
21 |
|
|
publishing platform, performed hash computation when checking password for |
22 |
|
|
password protected blog posts. A remote attacker could provide a specially- |
23 |
|
|
crafted input that, when processed by the password checking mechanism of |
24 |
|
|
Wordpress would lead to excessive CPU consumption (CVE-2013-2173). |
25 |
|
|
|
26 |
|
|
Inadequate SSRF protection for HTTP requests where the user can provide a |
27 |
|
|
URL can allow for attacks against the intranet and other sites. This is a |
28 |
|
|
continuation of work related to CVE-2013-0235, which was specific to SSRF |
29 |
|
|
in pingback requests and was fixed in 3.5.1 (CVE-2013-2199). |
30 |
|
|
|
31 |
|
|
Inadequate checking of a user's capabilities could allow them to publish |
32 |
|
|
posts when their user role should not allow for it; and to assign posts to |
33 |
|
|
other authors (CVE-2013-2200). |
34 |
|
|
|
35 |
|
|
Inadequate escaping allowed an administrator to trigger a cross-site |
36 |
|
|
scripting vulnerability through the uploading of media files and plugins |
37 |
|
|
(CVE-2013-2201). |
38 |
|
|
|
39 |
|
|
The processing of an oEmbed response is vulnerable to an XXE |
40 |
|
|
(CVE-2013-2202). |
41 |
|
|
|
42 |
|
|
If the uploads directory is not writable, error message data returned via |
43 |
|
|
XHR will include a full path to the directory (CVE-2013-2203). |
44 |
|
|
|
45 |
|
|
Content Spoofing in the MoxieCode (TinyMCE) MoxiePlayer project |
46 |
|
|
(CVE-2013-2204). |
47 |
|
|
|
48 |
|
|
Cross-domain XSS in SWFUpload (CVE-2013-2205). |
49 |
|
|
references: |
50 |
|
|
- https://bugs.mageia.org/show_bug.cgi?id=10596 |
51 |
|
|
- http://codex.wordpress.org/Version_3.5.2 |
52 |
|
|
- http://wordpress.org/news/2013/06/wordpress-3-5-2/ |
53 |
|
|
- https://bugzilla.redhat.com/show_bug.cgi?id=973254 |
54 |
|
|
- https://bugzilla.redhat.com/show_bug.cgi?id=976784 |