| 1 |
davidwhodgins |
116 |
type: security |
| 2 |
|
|
subject: Updated wordpress package fixes security vulnerabilities |
| 3 |
|
|
CVE: |
| 4 |
|
|
- CVE-2013-2173 |
| 5 |
|
|
- CVE-2013-2199 |
| 6 |
|
|
- CVE-2013-2200 |
| 7 |
|
|
- CVE-2013-2201 |
| 8 |
|
|
- CVE-2013-2202 |
| 9 |
|
|
- CVE-2013-2203 |
| 10 |
|
|
- CVE-2013-2204 |
| 11 |
|
|
- CVE-2013-2205 |
| 12 |
|
|
src: |
| 13 |
|
|
2: |
| 14 |
|
|
core: |
| 15 |
|
|
- wordpress-3.5.2-1.mga2 |
| 16 |
|
|
3: |
| 17 |
|
|
core: |
| 18 |
|
|
- wordpress-3.5.2-1.mga3 |
| 19 |
|
|
description: | |
| 20 |
|
|
A denial of service flaw was found in the way Wordpress, a blog tool and |
| 21 |
|
|
publishing platform, performed hash computation when checking password for |
| 22 |
|
|
password protected blog posts. A remote attacker could provide a specially- |
| 23 |
|
|
crafted input that, when processed by the password checking mechanism of |
| 24 |
|
|
Wordpress would lead to excessive CPU consumption (CVE-2013-2173). |
| 25 |
|
|
|
| 26 |
|
|
Inadequate SSRF protection for HTTP requests where the user can provide a |
| 27 |
|
|
URL can allow for attacks against the intranet and other sites. This is a |
| 28 |
|
|
continuation of work related to CVE-2013-0235, which was specific to SSRF |
| 29 |
|
|
in pingback requests and was fixed in 3.5.1 (CVE-2013-2199). |
| 30 |
|
|
|
| 31 |
|
|
Inadequate checking of a user's capabilities could allow them to publish |
| 32 |
|
|
posts when their user role should not allow for it; and to assign posts to |
| 33 |
|
|
other authors (CVE-2013-2200). |
| 34 |
|
|
|
| 35 |
|
|
Inadequate escaping allowed an administrator to trigger a cross-site |
| 36 |
|
|
scripting vulnerability through the uploading of media files and plugins |
| 37 |
|
|
(CVE-2013-2201). |
| 38 |
|
|
|
| 39 |
|
|
The processing of an oEmbed response is vulnerable to an XXE |
| 40 |
|
|
(CVE-2013-2202). |
| 41 |
|
|
|
| 42 |
|
|
If the uploads directory is not writable, error message data returned via |
| 43 |
|
|
XHR will include a full path to the directory (CVE-2013-2203). |
| 44 |
|
|
|
| 45 |
|
|
Content Spoofing in the MoxieCode (TinyMCE) MoxiePlayer project |
| 46 |
|
|
(CVE-2013-2204). |
| 47 |
|
|
|
| 48 |
|
|
Cross-domain XSS in SWFUpload (CVE-2013-2205). |
| 49 |
|
|
references: |
| 50 |
|
|
- https://bugs.mageia.org/show_bug.cgi?id=10596 |
| 51 |
|
|
- http://codex.wordpress.org/Version_3.5.2 |
| 52 |
|
|
- http://wordpress.org/news/2013/06/wordpress-3-5-2/ |
| 53 |
|
|
- https://bugzilla.redhat.com/show_bug.cgi?id=973254 |
| 54 |
|
|
- https://bugzilla.redhat.com/show_bug.cgi?id=976784 |
Parent Directory
| 
Revision Log