Hi, * jida...@jidanni.org <jida...@jidanni.org> [2009-01-19 22:14]: $ grep wp_version\ = /usr/share/wordpress/wp-includes/version.php $wp_version = '2.6.2'; [...] > 2.7. Versions older than 2.6.5 are known to have vulnerabilities that can be > exploited for many purposes including defacing your websites, writing > arbitrary > data to the filesystem under your user (including other domains without > WordPress), sending spam, running phishing scams, and various other prohibited > or illegal activity. If you are running an older version of WordPress, please > upgrade as soon as possible.
We are currently not aware of any vulnerability with the impact you described above. As you are referring to unstable, currently unstable suffers of fixes for the following CVE ids: CVE-2008-5695 (wp-admin/options.php in WordPress MU before 1.3.2, and WordPress 2.3.2 ...) - wordpress <unfixed> (low) CVE-2008-XXXX [possible script injection via /etc/wordpress/wp-config.php] - wordpress <unfixed> (bug #500295; unimportant) CVE-2008-0195 (WordPress 2.0.11 and earlier allows remote attackers to obtain ...) - wordpress <unfixed> (unimportant) CVE-2008-0191 (WordPress 2.2.x and 2.3.x allows remote attackers to obtain sensitive ...) - wordpress <unfixed> (unimportant) CVE-2006-4743 (WordPress 2.0.2 through 2.0.5 allows remote attackers to obtain ...) - wordpress <unfixed> (unimportant) CVE-2006-3390 (WordPress 2.0.3 allows remote attackers to obtain the installation ...) - wordpress <unfixed> (unimportant) CVE-2006-3389 (index.php in WordPress 2.0.3 allows remote attackers to obtain ...) - wordpress <unfixed> (unimportant) CVE-2006-0733 (** DISPUTED ** Cross-site scripting (XSS) vulnerability in WordPress ...) - wordpress <unfixed> (unimportant) As you see all of the unfixed issues except CVE-2008-5695 are marked as unimportant by members of the security team (this data is taken from the security tracker[0]) and none of these have the impact you described. CVE-2008-5695 leads to code execution but not for random attackers but only for administrator and editor users which is why the impact is rated as low. So if you want to be helpful please provide us detailed information about your claims and please don't abuse a bug affecting only stable to report your problem. [0] http://security-tracker.debian.net/ Cheers Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
pgpXVTT75j7o3.pgp
Description: PGP signature