Bug 904276 - wordpress: multiple flaws fixed in 3.5.1
wordpress: multiple flaws fixed in 3.5.1
Status: CLOSED DUPLICATE of bug 904120
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20130124,repor...
: Security
Depends On: 904124 904125 904277 904278
Blocks:
  Show dependency treegraph
 
Reported: 2013-01-25 17:45 EST by Vincent Danen
Modified: 2013-01-28 04:31 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-01-28 04:29:13 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2013-01-25 17:45:14 EST
Wordpress 3.5.1 was released [1] with the following security issues fixed:

* A server-side request forgery vulnerability and remote port scanning using pingbacks. This vulnerability, which could potentially be used to expose information and compromise a site, affects all previous WordPress versions. This was fixed by the WordPress security team. We’d like to thank security researchers Gennady Kovshenin and Ryan Dewhurst for reviewing our work.

* Two instances of cross-site scripting via shortcodes and post content. These issues were discovered by Jon Cave of the WordPress security team.

* A cross-site scripting vulnerability in the external library Plupload. Thanks to the Moxiecode team for working with us on this, and for releasing Plupload 1.5.5 to address this issue.

[1] http://wordpress.org/news/2013/01/wordpress-3-5-1/
Comment 1 Vincent Danen 2013-01-25 17:47:33 EST
Created wordpress tracking bugs for this issue

Affects: fedora-all [bug 904277]
Affects: epel-all [bug 904278]

Note You need to log in before you can comment on or make changes to this bug.