Bug#962685: wordpress 5.4.2 security release
Hi Craig, On Fri, Jun 12, 2020 at 06:33:14AM +0200, Salvatore Bonaccorso wrote: > Hi Craig, > > On Fri, Jun 12, 2020 at 09:40:34AM +1000, Craig Small wrote: > > Source: wordpress > > Version: 5.4.1+dfsg1-1 > > Severity: grave > > Tags: security upstream > > Justification: user security hole > > > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA512 > > > > WordPress 5.4.2 is out and fixes the following vulnerabilities: > [...] > > Thanks for filling the bugreport about those, added tracking in the > security-tracker correspondigly. > > Are you requesting CVEs for those? Looks that for all (but not your first mentioned issue) they have CVEs assigned now (was not when I checked). They are at https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-4vpv-fgg2-gcqc https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-87h4-phjv-rm6p https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-q6pw-gvf4-5fj5 https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-8q2w-5m27-wm27 https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-rpwf-hrh2-39jf Regards, Salvatore
Bug#962685: wordpress 5.4.2 security release
Hi Craig, On Fri, Jun 12, 2020 at 09:40:34AM +1000, Craig Small wrote: > Source: wordpress > Version: 5.4.1+dfsg1-1 > Severity: grave > Tags: security upstream > Justification: user security hole > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > WordPress 5.4.2 is out and fixes the following vulnerabilities: [...] Thanks for filling the bugreport about those, added tracking in the security-tracker correspondigly. Are you requesting CVEs for those? Regards, Salvatore
Bug#962685: wordpress 5.4.2 security release
Source: wordpress Version: 5.4.1+dfsg1-1 Severity: grave Tags: security upstream Justification: user security hole -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 WordPress 5.4.2 is out and fixes the following vulnerabilities: Props to Sam Thomas (jazzy2fives) for finding an XSS issue where authenticated users with low privileges are able to add JavaScript to posts in the block editor. https://core.trac.wordpress.org/changeset/47948 All releases Props to Luigi – (gubello.me) for discovering an XSS issue where authenticated users with upload permissions are able to add JavaScript to media files. https://core.trac.wordpress.org/changeset/47947 (I think) All releases Props to Ben Bidner of the WordPress Security Team for finding an open redirect issue in wp_validate_redirect(). https://core.trac.wordpress.org/changeset/47949 All releases Props to Nrimo Ing Pandum for finding an authenticated XSS issue via theme uploads. https://core.trac.wordpress.org/changeset/47950 All releases Props to Simon Scannell of RIPS Technologies for finding an issue where set-screen-option can be misused by plugins leading to privilege escalation. https://core.trac.wordpress.org/changeset/47951 All releases Props to Carolina Nymark for discovering an issue where comments from password-protected posts and pages could be displayed under certain conditions. https://core.trac.wordpress.org/changeset/47984 All releases There is also a fix for unmoderated comments visible to indexers which will be backported. WordPress say its not a security issue, but seems like you are getting the site to do something that it shouldn't. https://make.wordpress.org/core/2020/06/09/wordpress-5-4-2-prevent-unmoderated-comments-from-search-engine-indexation/ https://core.trac.wordpress.org/ticket/49956 https://core.trac.wordpress.org/changeset/47887 https://core.trac.wordpress.org/changeset/47889 Present: 5.4 only (5.1 onwards, see the ticket) - -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.4.0-4-amd64 (SMP w/8 CPU cores) Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_AU:en (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled -BEGIN PGP SIGNATURE- iQJGBAEBCgAwFiEEXT3w9TizJ8CqeneiAiFmwP88hOMFAl7iwOsSHGNzbWFsbEBk ZWJpYW4ub3JnAAoJEAIhZsD/PITjYIAP/R+4+bSwUXz0IPSijvsH4PkIICe3k1wj dBSgFWWjFcVyYZwbpQ5SqgyspGG5aFhQPNWiSAvv0BILWY///jbPmsSoqz0s58xC QcjBkUiif1GDZq60IaA8igy2eotD90FQxr8Y16iDFSbkC0U3x4sV1UW3WlDEyxnW ILRusFo8m0L9J+rTQUxu0SGHK4WM2nvCGNp1U3l5/JreKZxlLIeoy+y44GsCPktn 8wDIqZ91bUpfhUcyL7BZu7g94cUnC8RhZxX//TiVYlH54pXneascPuedZAGV/qi6 0TMTuSvdPd9/pKtKhCo2jUb70CRWiP4r3QDgRM7oqcx8jLaLvBcvWmaAQjpc6eZB jgRX6HAEkm2CVFor4VtwRH/726RLLm34IokYnXU74Wp+LVjtXIYMLoP/fkbEvJW4 ClrMMEUe/+bkWLmWu6iGdbNM325eFsTvkDOngCNV/g/lsEp5gzHZwCwzL+0J21ds /KglCuE+BRn4XSCCxOEU+HS7EM8A+NWrO95elryeVE2SRQb/11F8s6TkIMMMqFPD B4m8+J5Ooj7LzS3dErVuXlOOVX0YXFVOL6AThfitW9SHOn37NmRsvOuSJCySKdI6 60A7WJvuH460JcpASDSR4XoJpBy+NnAkA4uTJ9ihlLKbZBkhy+vS/E/6M73yL9Aw QCZSPwT6j/lX =E8qn -END PGP SIGNATURE-
