[Bug 670349] New: next wordpress security update...
https://bugzilla.novell.com/show_bug.cgi?id=670349 https://bugzilla.novell.com/show_bug.cgi?id=670349#c0 Summary: next wordpress security update... Classification: openSUSE Product: openSUSE.org Version: unspecified Platform: All OS/Version: Other Status: NEW Severity: Critical Priority: P5 - None Component: Infrastructure AssignedTo: mehle@novell.com ReportedBy: suse-beta@cboltz.de QAContact: lrupp@novell.com Found By: Beta-Customer Blocker: --- Matthew, it looks like wordpress is nearly as fast as you are ;-) About a week ago, you updated news.o.o/lizards.o.o to wordpress 3.0.4 (bug 663414). Now guess what: yesterday another security update was released that contains some XSS fixes. Details: http://codex.wordpress.org/Version_3.0.5 I recommend to upgrade to the latest version. Sidenote: On the long term, switching to Serendipity might be an option - it needs only one or two security updates per year ;-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=670349 https://bugzilla.novell.com/show_bug.cgi?id=670349#c1 Matthew Ehle <mehle@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P2 - High Status|NEW |ASSIGNED Severity|Critical |Normal --- Comment #1 from Matthew Ehle <mehle@novell.com> 2011-02-08 18:13:32 UTC --- Critical = Crash, loss of data, corruption of data, severe memory leak Normal = Regular issue, some loss of functionality under specific circumstances Reclassifying as a normal bug with a P2 (High) priority. I will start work on it this week. Let's plan to go into production early next week, as soon as the blackout period ends. If openSUSE wants to look at Serendipity, I will be happy to help. However, is it more secure, or just more obscure? ;) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=670349 https://bugzilla.novell.com/show_bug.cgi?id=670349#c2 --- Comment #2 from Christian Boltz <suse-beta@cboltz.de> 2011-02-08 23:13:30 CET --- (Sorry for marking the bug as "critical", for me security issues tend to increase the severity ;-) (In reply to comment #1)
If openSUSE wants to look at Serendipity, I will be happy to help. However, is it more secure, or just more obscure? ;)
It IS more secure - that's not only my opinion, but also from some people I know that are quite paranoid about server security and at the same time really know what they are doing (one of them was server security boss at a big german freemail provider). BTW: The security issues Serendipity had were mostly caused by "foreign" code like the WYSIWYG editor library. The code that was written by the Serendipity developers only had minor issues. Serendipity also has some other advantages like smarty templates (instead of mixing PHP and HTML - already that can avoid several security issues), lots of available plugins, very responsible developers etc. Oh, and of course it can import the existing wordpress data ;-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=670349 https://bugzilla.novell.com/show_bug.cgi?id=670349#c Mike Elquist <melquist@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |melquist@novell.com AssignedTo|mehle@novell.com |ajonkhart@novell.com -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=670349 https://bugzilla.novell.com/show_bug.cgi?id=670349#c3 Marcus Rückert <mrueckert@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mrueckert@novell.com --- Comment #3 from Marcus Rückert <mrueckert@novell.com> 2011-05-26 16:42:29 UTC --- in the meantime we are at 3.1.3 (see http://codex.wordpress.org/Version_3.13) which is again a security update. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=670349 https://bugzilla.novell.com/show_bug.cgi?id=670349#c4 Lars Vogdt <lrupp@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |draht@novell.com, | |lrupp@novell.com --- Comment #4 from Lars Vogdt <lrupp@novell.com> 2011-05-27 20:05:31 UTC --- Just for reference, here's a short list of public VUL issues fixed in the newer versions: 3.0.5: * Fix XSS bug: Properly encode title used in Quick/Bulk Edit, and offer additional sanitization to various fields. Affects users of the Author or Contributor role. (r17397, r17406, r17412) * Fix XSS bug: Preserve tag escaping in the tags meta box. Affects users of the Author or Contributor role. (r17401) * Fix potential information disclosure of posts through the media uploader. Affects users of the Author role. (r17393) 3.0.6: * Fix a vulnerability that allowed Contributor-level users to improperly publish posts. (r17710) 3.1.1: * Security hardening to media uploads (r17569) * Correct minor XSS flaw on database upgrade screens (r17583) 3.1.2: * Fix a vulnerability that allowed Contributor-level users to improperly publish posts. (r17710) 3.1.3: * Various security hardening by Alexander Concha. * Taxonomy query hardening by John Lamansky. * Prevent sniffing out user names of non-authors by using canonical redirects. Props Verónica Valeros. * Media security fixes by Richard Lundeen of Microsoft, Jesse Ou of Microsoft, and Microsoft Vulnerability Research. * Introduce “clickjacking” protection in modern browsers on admin and login pages. This P2 bug is open since 2011-02-08 (more than 3 months) now. I did not investigate time to see if our instances are affected by the vulnerabilities or information disclosures listed above, please ping me if I should do so. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=670349 https://bugzilla.novell.com/show_bug.cgi?id=670349#c Barb Beckstead <bbeckstead@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |bbeckstead@novell.com Business Priority| |600 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=670349 https://bugzilla.novell.com/show_bug.cgi?id=670349#c5 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED --- Comment #5 from Christian Boltz <suse-beta@cboltz.de> 2011-12-15 13:06:07 CET --- Matthew updated to WordPress 3.2.1 some weeks ago. In the meantime 3.3 was released, but I didn't notice anything security-relevant in the announcement. Therefore I'm closing this bug as fixed. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com