http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1049 "Cross-site scripting (XSS) vulnerability in the wp_explain_nonce function in the nonce AYS functionality (wp-includes/functions.php) for WordPress 2.0 before 2.0.9 and 2.1 before 2.1.1 allows remote attackers to inject arbitrary web script or HTML via the file parameter to wp-admin/templates.php, and possibly other vectors involving the action variable." FE5+ apparently affected.
New packages uploaded / built
Although John Beringer indicates as of 2007-02-27, new packages have been uploaded and built for Wordpress, I am not seeing any new packages in Extras repositories for Wordpress for FC5 nor for devel. What's going on?
Indeed, it seems that the new versions were tagged, but I don't see that they were ever built. It's probably just an oversight; I could build them myself but at this point I think it's more prudent to wait to see if the maintainer will chime in soon.
Which repository/mirror do you use? I verified the existence of the builds before marking this CVE taken care of in fedora-security/audit/fe* and they're still there just as expected: $ HEAD http://download.fedora.redhat.com/pub/fedora/linux/extras/5/i386/wordpress-2.1.1-0.fc5.noarch.rpm | grep '\(OK\|Last-Mod\)' 200 OK Last-Modified: Tue, 27 Feb 2007 21:41:47 GMT $ HEAD http://download.fedora.redhat.com/pub/fedora/linux/extras/6/i386/wordpress-2.1.1-0.fc6.noarch.rpm | grep '\(OK\|Last-Mod\)' 200 OK Last-Modified: Tue, 27 Feb 2007 21:40:52 GMT $ HEAD http://download.fedora.redhat.com/pub/fedora/linux/extras/development/i386/wordpress-2.1.1-0.fc7.noarch.rpm | grep '\(OK\|Last-Mod\)' 200 OK Last-Modified: Tue, 27 Feb 2007 23:30:09 GMT
http://buildsys.fedoraproject.org/logs/fedora-5-extras/28349-wordpress-2.1.1-0.fc5/ http://buildsys.fedoraproject.org/logs/fedora-6-extras/28350-wordpress-2.1.1-0.fc6/ http://buildsys.fedoraproject.org/logs/fedora-development-extras/28351-wordpress-2.1.1-0.fc7/ New packages were indeed built as of 27-Feb-2007. If a given mirror does not have the new packages, you may wish to contact that mirror's maintainer.
Hmm, I'm mirroring from kernel.org. How odd, the binary rpm is there, but the source rpm isn't. Sorry for not checking deeper earlier. WHen I saw that the srpm wasn't there, I tried to extract info from the buildsys but of course you can only go back a couple of days.
That kind of situation is almost certainly a mirroring issue. The scripts used to publish Extras repositories work so that before creating and pushing a repo to the primary public mirror, all binary rpms for which a source rpm is not available are removed.
In any case, I've re-pulled my mirror and the srpm is there, so I don't know what was up. And in any case this is all moot since you really, really don't want to be running 2.1.1 anyway.