Bug 512900 (CVE-2009-2851)
| Summary: | CVE-2009-2851 WordPress: XSS via unescaped HTML URLs as author comments in the admin page | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | Keywords: | Security |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://wordpress.org/development/2009/07/wordpress-2-8-2/ | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-08-22 16:13:31 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Jan Lieskovsky
2009-07-21 09:07:58 UTC
Is there already a CVE identifier assigned? Should I wait with the update until there is a CVE identifier available? CVE for this issue was requested here: http://www.openwall.com/lists/oss-security/2009/07/21/1 Would be better to have CVE identifier associated with the fix, but if it isn't assigned in two days (you will notice, as this bug will be updated with it), go ahead and schedule the Fedora WordPress updates. But for now please wait a little bit (for it). Thanks, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team It has been a few days without any news. I would really like to push the updates. It is somehow silly to wait if the update is already available. wordpress-2.8.2-1.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/wordpress-2.8.2-1.fc11 wordpress-2.8.2-1.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/wordpress-2.8.2-1.fc10 wordpress-2.8.2-1.el5 has been submitted as an update for Fedora EPEL 5. http://admin.fedoraproject.org/updates/wordpress-2.8.2-1.el5 wordpress-2.8.2-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report. wordpress-2.8.2-1.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report. wordpress-2.8.2-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report. MITRE's CVE-2009-2851 record: ----------------------------- Cross-site scripting (XSS) vulnerability in the administrator interface in WordPress before 2.8.2 allows remote attackers to inject arbitrary web script or HTML via a comment author URL. References: ----------- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2851 http://www.openwall.com/lists/oss-security/2009/07/21/1 http://bugs.gentoo.org/show_bug.cgi?id=278492 http://wordpress.org/development/2009/07/wordpress-2-8-2/ https://www.redhat.com/archives/fedora-package-announce/2009-July/msg01241.html https://www.redhat.com/archives/fedora-package-announce/2009-July/msg01253.html http://securitytracker.com/id?1022589 |