WordPress 2.3.3 was released with following announcement:
WordPress 2.3.3 is an urgent security release. A flaw was found in our
XML-RPC implementation such that a specially crafted request would allow
any valid user to edit posts of any other user on that blog.
Upstream bug report:
Some PoCs are already available publicly:
This is being actively exploited. My F8 server running 2.3.2 was hit by a
spammer using this hole today.
Building new packages for F-7, F-8, -devel. Will push as security updates as
soon as they complete.
Thanks. I was about to do that myself when I found you'd already started.
Packages rebuilt, awaiting security team approval for final push to stable repos
John: You submitted the update for testing. I will assume that you meant it for
stable and push it there.
Oh, pardon me, I lied above :} Approved though.
wordpress-2.3.3-0.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
wordpress-2.3.3-0.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.