From WordPress blog:
WordPress 2.8.2 fixes an XSS vulnerability. Comment author URLs
were not fully sanitized when displayed in the admin. This could
be exploited to redirect you away from the admin to another site.
Note: Please be sure to mention CVE identifier in the WordPress's
rpm Changelog when scheduling Fedora updates / addressing this
Is there already a CVE identifier assigned? Should I wait with the update until there is a CVE identifier available?
CVE for this issue was requested here:
Would be better to have CVE identifier associated with the fix,
but if it isn't assigned in two days (you will notice, as this
bug will be updated with it), go ahead and schedule the Fedora
But for now please wait a little bit (for it).
Jan iankko Lieskovsky / Red Hat Security Response Team
It has been a few days without any news. I would really like to push the updates. It is somehow silly to wait if the update is already available.
wordpress-2.8.2-1.fc11 has been submitted as an update for Fedora 11.
wordpress-2.8.2-1.fc10 has been submitted as an update for Fedora 10.
wordpress-2.8.2-1.el5 has been submitted as an update for Fedora EPEL 5.
wordpress-2.8.2-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
wordpress-2.8.2-1.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
wordpress-2.8.2-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
MITRE's CVE-2009-2851 record:
Cross-site scripting (XSS) vulnerability in the administrator
interface in WordPress before 2.8.2 allows remote attackers to inject
arbitrary web script or HTML via a comment author URL.