A denial of service (resource exhaustion) flaw was found in the way WordPress used to handle HTTP headers, contained in the "trackback" message, sent to WordPress. A local, unprivileged user could sent a specially-crafted trackback message to running instance of WordPress, leading to its crash. References: ---------- http://wordpress.org/development/2009/10/wordpress-2-8-5-hardening-release/ http://seclists.org/fulldisclosure/2009/Oct/263 PoC: ---- http://codes.zerial.org/php/wp-trackbacks_dos.phps CVE was requested here: ----------------------- http://www.openwall.com/lists/oss-security/2009/10/21/2
This issue affects current versions of the wordpress package, as shipped with Fedora releases of 10 and 11 and within Extra Packages for Enterprise Linux 5 (EPEL-5) project (wordpress-2.8.4-1.fc10, wordpress-2.8.4-1.fc11, wordpress-2.8.4-1.el5). This issue affects the version of the wordpress package, as scheduled to be included in Fedora release of 12 (wordpress-2.8.4-1.fc12). Please fix. This issue does NOT affect the version of wordpress package, as shipped within Rawhide (wordpress-2.8.5-1.fc13 already contains upstream 2.8.5 hardened version).
wordpress-2.8.5-1.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/wordpress-2.8.5-1.fc12
wordpress-2.8.5-1.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/wordpress-2.8.5-1.fc11
wordpress-2.8.5-1.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/wordpress-2.8.5-1.fc10
wordpress-2.8.5-1.el5 has been submitted as an update for Fedora EPEL 5. http://admin.fedoraproject.org/updates/wordpress-2.8.5-1.el5
wordpress-2.8.5-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
wordpress-2.8.5-1.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
wordpress-2.8.5-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
wordpress-mu-2.8.5.2-1.el5 has been submitted as an update for Fedora EPEL 5. http://admin.fedoraproject.org/updates/wordpress-mu-2.8.5.2-1.el5
wordpress-mu-2.8.5.2-1.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/wordpress-mu-2.8.5.2-1.fc11
wordpress-mu-2.8.5.2-1.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/wordpress-mu-2.8.5.2-1.fc10
wordpress-mu-2.8.5.2-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
wordpress-mu-2.8.5.2-1.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
wordpress-mu-2.8.5.2-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.