Bug 229991 (CVE-2007-1049)
Summary: | CVE-2007-1049: wordpress < 2.1.1 XSS | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Ville Skyttä <ville.skytta> |
Component: | wordpress | Assignee: | John Berninger <john> |
Status: | CLOSED NEXTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | rawhide | CC: | deisenst, fedora-security-list |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1049 | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2007-02-27 16:12:40 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Ville Skyttä
2007-02-25 16:37:38 UTC
New packages uploaded / built Although John Beringer indicates as of 2007-02-27, new packages have been uploaded and built for Wordpress, I am not seeing any new packages in Extras repositories for Wordpress for FC5 nor for devel. What's going on? Indeed, it seems that the new versions were tagged, but I don't see that they were ever built. It's probably just an oversight; I could build them myself but at this point I think it's more prudent to wait to see if the maintainer will chime in soon. Which repository/mirror do you use? I verified the existence of the builds before marking this CVE taken care of in fedora-security/audit/fe* and they're still there just as expected: $ HEAD http://download.fedora.redhat.com/pub/fedora/linux/extras/5/i386/wordpress-2.1.1-0.fc5.noarch.rpm | grep '\(OK\|Last-Mod\)' 200 OK Last-Modified: Tue, 27 Feb 2007 21:41:47 GMT $ HEAD http://download.fedora.redhat.com/pub/fedora/linux/extras/6/i386/wordpress-2.1.1-0.fc6.noarch.rpm | grep '\(OK\|Last-Mod\)' 200 OK Last-Modified: Tue, 27 Feb 2007 21:40:52 GMT $ HEAD http://download.fedora.redhat.com/pub/fedora/linux/extras/development/i386/wordpress-2.1.1-0.fc7.noarch.rpm | grep '\(OK\|Last-Mod\)' 200 OK Last-Modified: Tue, 27 Feb 2007 23:30:09 GMT http://buildsys.fedoraproject.org/logs/fedora-5-extras/28349-wordpress-2.1.1-0.fc5/ http://buildsys.fedoraproject.org/logs/fedora-6-extras/28350-wordpress-2.1.1-0.fc6/ http://buildsys.fedoraproject.org/logs/fedora-development-extras/28351-wordpress-2.1.1-0.fc7/ New packages were indeed built as of 27-Feb-2007. If a given mirror does not have the new packages, you may wish to contact that mirror's maintainer. Hmm, I'm mirroring from kernel.org. How odd, the binary rpm is there, but the source rpm isn't. Sorry for not checking deeper earlier. WHen I saw that the srpm wasn't there, I tried to extract info from the buildsys but of course you can only go back a couple of days. That kind of situation is almost certainly a mirroring issue. The scripts used to publish Extras repositories work so that before creating and pushing a repo to the primary public mirror, all binary rpms for which a source rpm is not available are removed. In any case, I've re-pulled my mirror and the srpm is there, so I don't know what was up. And in any case this is all moot since you really, really don't want to be running 2.1.1 anyway. |