Bug 229991 - (CVE-2007-1049) CVE-2007-1049: wordpress < 2.1.1 XSS
CVE-2007-1049: wordpress < 2.1.1 XSS
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: wordpress (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: John Berninger
Fedora Extras Quality Assurance
http://nvd.nist.gov/nvd.cfm?cvename=C...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-02-25 11:37 EST by Ville Skyttä
Modified: 2007-11-30 17:11 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-02-27 11:12:40 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ville Skyttä 2007-02-25 11:37:38 EST
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1049

"Cross-site scripting (XSS) vulnerability in the wp_explain_nonce function in
the nonce AYS functionality (wp-includes/functions.php) for WordPress 2.0 before
2.0.9 and 2.1 before 2.1.1 allows remote attackers to inject arbitrary web
script or HTML via the file parameter to wp-admin/templates.php, and possibly
other vectors involving the action variable."

FE5+ apparently affected.
Comment 1 John Berninger 2007-02-27 11:12:40 EST
New packages uploaded / built
Comment 2 David Eisenstein 2007-03-02 23:07:08 EST
Although John Beringer indicates as of 2007-02-27, new packages have
been uploaded and built for Wordpress, I am not seeing any new packages
in Extras repositories for Wordpress for FC5 nor for devel.  What's going on?
Comment 3 Jason Tibbitts 2007-03-02 23:42:19 EST
Indeed, it seems that the new versions were tagged, but I don't see that they
were ever built.  It's probably just an oversight; I could build them myself but
at this point I think it's more prudent to wait to see if the maintainer will
chime in soon.
Comment 4 Ville Skyttä 2007-03-03 02:47:17 EST
Which repository/mirror do you use?  I verified the existence of the builds
before marking this CVE taken care of in fedora-security/audit/fe* and they're
still there just as expected:

$ HEAD
http://download.fedora.redhat.com/pub/fedora/linux/extras/5/i386/wordpress-2.1.1-0.fc5.noarch.rpm
| grep '\(OK\|Last-Mod\)'
200 OK
Last-Modified: Tue, 27 Feb 2007 21:41:47 GMT

$ HEAD
http://download.fedora.redhat.com/pub/fedora/linux/extras/6/i386/wordpress-2.1.1-0.fc6.noarch.rpm
| grep '\(OK\|Last-Mod\)'
200 OK
Last-Modified: Tue, 27 Feb 2007 21:40:52 GMT

$ HEAD
http://download.fedora.redhat.com/pub/fedora/linux/extras/development/i386/wordpress-2.1.1-0.fc7.noarch.rpm
| grep '\(OK\|Last-Mod\)'
200 OK
Last-Modified: Tue, 27 Feb 2007 23:30:09 GMT
Comment 5 John Berninger 2007-03-03 08:26:51 EST
http://buildsys.fedoraproject.org/logs/fedora-5-extras/28349-wordpress-2.1.1-0.fc5/

http://buildsys.fedoraproject.org/logs/fedora-6-extras/28350-wordpress-2.1.1-0.fc6/

http://buildsys.fedoraproject.org/logs/fedora-development-extras/28351-wordpress-2.1.1-0.fc7/

New packages were indeed built as of 27-Feb-2007.  If a given mirror does not
have the new packages, you may wish to contact that mirror's maintainer.
Comment 6 Jason Tibbitts 2007-03-03 10:07:56 EST
Hmm, I'm mirroring from kernel.org.  How odd, the binary rpm is there, but the
source rpm isn't.  Sorry for not checking deeper earlier.  WHen I saw that the
srpm wasn't there, I tried to extract info from the buildsys but of course you
can only go back a couple of days.
Comment 7 Ville Skyttä 2007-03-03 10:38:30 EST
That kind of situation is almost certainly a mirroring issue.  The scripts used
to publish Extras repositories work so that before creating and pushing a repo
to the primary public mirror, all binary rpms for which a source rpm is not
available are removed.
Comment 8 Jason Tibbitts 2007-03-03 10:47:25 EST
In any case, I've re-pulled my mirror and the srpm is there, so I don't know
what was up.  And in any case this is all moot since you really, really don't
want to be running 2.1.1 anyway.

Note You need to log in before you can comment on or make changes to this bug.