XML-RPC SQL injection: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-3140 Cross site scripting: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-3238 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-3239 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-3240 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-3241 Note: these have been reported against Wordpress 2.2, I haven't investigated whether 2.1.3 currently in Fedora is affected. Also, 2.2.1 seems to have been released today, fixing at least some of these issues.
Additional unrestricted file upload issues: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-3543 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-3544
wordpress-2.2.1-1.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
CVE-2007-3544 is reported against 2.2.1, reopening for verification whether this update is still vulnerable.
John: What about CVE-2007-3544? Will this ever get updated?
John: In my opinion Wordpress is not a quality software that would really belong to Fedora, unfortunatelly your package fully complies with the guidelines. Obviously, your opinion is different, so please do care about doing updates -- maintaining a bucket of bugs that wordpress inteed is needs some extra responsibility.
There has been no patch from upstream for this issue, and no response from them in response to my latest query on this issue. When upstream generates a patch, or replies that the current release is not vulnerable, I will update this bug.
John: That practically means that Wordpress upstream is dead, right? I don't feel comfortable about having an unfixed vulnerability in distribution, do you? Please do your best to solve the situation.
Wordpress upstream is far from dead, they simply did not respond to my inquiry regarding this specific vulnerability. They have made additional releases, and we currently have version 2.2.3 available in FC7, 2.3.1 in devel. I'm as comfortable having wordpress in the distro as I am with having various bugs I've reported in RHEL still be open after multiple years, or closed with a WONTFIX from PM.
RHEL is a different operating system with a different development model and different expectations from users. Not a good analogy. I understand that you can not do anything about fixing this anyways without more specific information other than the advisory. I mailed the guy who discovered the flaw and asked for more information. In case we won't learn more, we may consider the issue non{public,existent}.
I'm closing this INSUFFICIENT_DATA, as CVE-2007-3544 description only links to the same advisory as CVE-2007-3543 and does not have any details in what ways fix for CVE-2007-3543 is incomplete.