New upstream WordPress version 2.5.1 was released: http://wordpress.org/development/2008/04/wordpress-251/ "... It includes a number of bug fixes, performance enhancements, and one very important security fix. We recommend everyone update immediately, particularly if your blog has open registration. The vulnerability is not public but it will be shortly." Release announcement suggests multiple security issues were fixed in this version: "Many thanks to Steven Murdoch for responsibly reporting the security issue (CVE-2008-1930) and Alex Concha for reporting an XSS issue."
CVE-2008-1930: An attacker, who is able to register a specially crafted username on a Wordpress 2.5 installation, is able to generate authentication cookies for other chosen accounts. This vulnerability exists because it is possible to modify authentication cookies without invalidating the cryptographic integrity protection. If a Wordpress blog is configured to freely permit account creation, a remote attacker can gain Wordpress-administrator access and then elevate this to arbitrary code execution as the web server user. The vulnerability is fixed in Wordpress 2.5.1 References: http://www.cl.cam.ac.uk/~sjm217/advisories/wordpress-cookie-integrity.txt http://marc.info/?l=full-disclosure&m=120913941501562&w=4 http://trac.wordpress.org/changeset/7822 (This is probably the secret issue, with undisclosed details.)
Addition to comment #1: According to Steven Murdoch's paper, cookie protection mechanism affected by CVE-2008-1930 was only introduced in WordPress 2.5 and therefore should not affect versions of WordPress currently shipped in Fedora.
This seems to be a fix for XSS mentioned in the announcement: http://trac.wordpress.org/changeset/7826
Thanks for comment #2 about Fedora not being affected. The problem is that the release talks about multiple security fixes and as there will be no update for 2.3.3 and as the update from 2.3.3 to 2.5.1 seems to be pretty easy (and for my tests without problems) I would still prefer that the updates are pushed. Maybe as a first step only to testing if Fedora is not affected.
Ooops, all these should be relevant for the XSS issue: http://trac.wordpress.org/changeset/7819 http://trac.wordpress.org/changeset/7823 http://trac.wordpress.org/changeset/7826
Other issue fixed in 2.5.1 - unauthorized attachment attributes edits: Any user that knows the ID of an attachment is able to edit some attributes of it. http://trac.wordpress.org/ticket/6838 Changesets: http://trac.wordpress.org/changeset/7828 http://trac.wordpress.org/changeset/7830
(In reply to comment #4) > The problem is that the release talks about multiple security fixes Yes. Hopefully, those should be all listed here now. > will be no update for 2.3.3 and as the update from 2.3.3 to 2.5.1 seems to be > pretty easy (and for my tests without problems) I would still prefer that the > updates are pushed. Sounds ok to me. Updates are now waiting for RelEng to sing and push. > Maybe as a first step only to testing if Fedora is not affected. Feel free to change request from stable to testing if you prefer. Thanks for quick update!
wordpress-2.5.1-1.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
wordpress-2.5.1-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
CVE id for the XSS issue: CVE-2008-2068: Cross-site scripting (XSS) vulnerability in WordPress 2.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. References: http://wordpress.org/development/2008/04/wordpress-251/ http://secunia.com/advisories/29965 http://xforce.iss.net/xforce/xfdb/42029
This issue was addressed in: Fedora: https://admin.fedoraproject.org/updates/F8/FEDORA-2008-3397