Red Hat Bugzilla – Bug 444396
wordpress: security fixes in upstream version 2.5.1 (CVE-2008-1930, CVE-2008-2068)
Last modified: 2008-07-25 04:59:37 EDT
New upstream WordPress version 2.5.1 was released:
"... It includes a number of bug fixes, performance enhancements, and one
very important security fix. We recommend everyone update immediately,
particularly if your blog has open registration. The vulnerability is not
public but it will be shortly."
Release announcement suggests multiple security issues were fixed in this version:
"Many thanks to Steven Murdoch for responsibly reporting the security issue
(CVE-2008-1930) and Alex Concha for reporting an XSS issue."
An attacker, who is able to register a specially crafted username on
a Wordpress 2.5 installation, is able to generate authentication
cookies for other chosen accounts.
This vulnerability exists because it is possible to modify
authentication cookies without invalidating the cryptographic
If a Wordpress blog is configured to freely permit account creation,
a remote attacker can gain Wordpress-administrator access and then
elevate this to arbitrary code execution as the web server user.
The vulnerability is fixed in Wordpress 2.5.1
(This is probably the secret issue, with undisclosed details.)
Addition to comment #1:
According to Steven Murdoch's paper, cookie protection mechanism affected by
CVE-2008-1930 was only introduced in WordPress 2.5 and therefore should not
affect versions of WordPress currently shipped in Fedora.
This seems to be a fix for XSS mentioned in the announcement:
Thanks for comment #2 about Fedora not being affected.
The problem is that the release talks about multiple security fixes and as there
will be no update for 2.3.3 and as the update from 2.3.3 to 2.5.1 seems to be
pretty easy (and for my tests without problems) I would still prefer that the
updates are pushed. Maybe as a first step only to testing if Fedora is not affected.
Ooops, all these should be relevant for the XSS issue:
Other issue fixed in 2.5.1 - unauthorized attachment attributes edits:
Any user that knows the ID of an attachment is able to edit some attributes
(In reply to comment #4)
> The problem is that the release talks about multiple security fixes
Yes. Hopefully, those should be all listed here now.
> will be no update for 2.3.3 and as the update from 2.3.3 to 2.5.1 seems to be
> pretty easy (and for my tests without problems) I would still prefer that the
> updates are pushed.
Sounds ok to me. Updates are now waiting for RelEng to sing and push.
> Maybe as a first step only to testing if Fedora is not affected.
Feel free to change request from stable to testing if you prefer.
Thanks for quick update!
wordpress-2.5.1-1.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
wordpress-2.5.1-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
CVE id for the XSS issue:
Cross-site scripting (XSS) vulnerability in WordPress 2.5 allows
remote attackers to inject arbitrary web script or HTML via
This issue was addressed in: