wordpress: CORE-2009-0515 priviledges unchecked and multiple information disclosures

Debian Bug report logs - #536724
wordpress: CORE-2009-0515 priviledges unchecked and multiple information disclosures

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>

To: submit@bugs.debian.org

Subject: wordpress: CORE-2009-0515 priviledges unchecked and multiple information disclosures

Date: Sun, 12 Jul 2009 17:47:46 -0400

package: wordpress
version: 2.0.10-1etch4
severity: serious
tags: security

an advisory, CORE-2009-0515, has been issued for wordpress.  there are issues
with unchecked privilidges and many potential information disclosures.  see [1].

this is fixed in upstream version 2.8.1.  please coordinate with the security
team to prepare updates for the stable releases.

[1] http://corelabs.coresecurity.com/index.php?module=FrontEndMod&action=view&type=advisory&name=WordPress_Privileges_Unchecked

Message #10 received at 536724@bugs.debian.org (full text, mbox, reply):

From: Andrea De Iacovo <andrea.de.iacovo@gmail.com>

To: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>, 536724@bugs.debian.org

Subject: Re: Bug#536724: wordpress: CORE-2009-0515 priviledges unchecked and multiple information disclosures

Date: Mon, 13 Jul 2009 08:45:03 +0200

[Message part 1 (text/plain, inline)]

> this is fixed in upstream version 2.8.1.  please coordinate with the
> security
> team to prepare updates for the stable releases.


Wordpress 2.8.1 is going to be uploaded in sid in the near future.

As for the stable release I'm going to prepare a patch and submit it so
security team.


Thank you for reporting this.

Cheers.

Andrea De Iacovo

[Message part 2 (text/html, inline)]

Message #15 received at 536724@bugs.debian.org (full text, mbox, reply):

From: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>

To: 536724@bugs.debian.org

Subject: incomplete fix

Date: Sun, 9 Aug 2009 00:52:42 -0400

the 2.8.1 fix is incomplete, and is now claimed fixed in 2.8.3.  see:

http://wordpress.org/development/2009/08/wordpress-2-8-3-security-release/
http://core.trac.wordpress.org/changeset/11765
http://core.trac.wordpress.org/changeset/11766
http://core.trac.wordpress.org/changeset/11768
http://core.trac.wordpress.org/changeset/11769

Message #20 received at 536724@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Andrea De Iacovo <andrea.de.iacovo@gmail.com>

Cc: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>, 536724@bugs.debian.org

Subject: Re: Bug#536724: wordpress: CORE-2009-0515 priviledges unchecked and multiple information disclosures

Date: Sun, 9 Aug 2009 21:58:34 +0200

On Mon, Jul 13, 2009 at 08:45:03AM +0200, Andrea De Iacovo wrote:
> > this is fixed in upstream version 2.8.1.  please coordinate with the
> > security
> > team to prepare updates for the stable releases.
> 
> 
> Wordpress 2.8.1 is going to be uploaded in sid in the near future.
> 
> As for the stable release I'm going to prepare a patch and submit it so
> security team.

Likewise, what's the status?

Cheers,
        Moritz

Message #25 received at 536724@bugs.debian.org (full text, mbox, reply):

From: Giuseppe Iuculano <giuseppe@iuculano.it>

To: Moritz Muehlenhoff <jmm@inutil.org>

Cc: Andrea De Iacovo <andrea.de.iacovo@gmail.com>, 536724@bugs.debian.org

Subject: Re: Bug#536724: wordpress: CORE-2009-0515 priviledges unchecked

Date: Mon, 10 Aug 2009 17:58:51 +0200

[Message part 1 (text/plain, inline)]

Hi Moritz,

Moritz Muehlenhoff wrote:
> On Mon, Jul 13, 2009 at 08:45:03AM +0200, Andrea De Iacovo wrote:
>> > this is fixed in upstream version 2.8.1.  please coordinate with the
>> > security
>> > team to prepare updates for the stable releases.
>> 
>> 
>> Wordpress 2.8.1 is going to be uploaded in sid in the near future.
>> 
>> As for the stable release I'm going to prepare a patch and submit it so
>> security team.
> 
> Likewise, what's the status?


Andrea accepted my help and we will co-maintain wordpress.
I'm preparing wordpress 2.8.3-1, could I ask you to sponsor it when ready? If
you agree I can also set the DM-Upload-Allowed control field for future uploads.


Cheers,
Giuseppe.

[signature.asc (application/pgp-signature, attachment)]

Message #36 received at 536724@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Giuseppe Iuculano <giuseppe@iuculano.it>

Cc: Moritz Muehlenhoff <jmm@inutil.org>, Andrea De Iacovo <andrea.de.iacovo@gmail.com>, 536724@bugs.debian.org

Subject: Re: Bug#536724: wordpress: CORE-2009-0515 priviledges unchecked

Date: Tue, 11 Aug 2009 19:19:52 +0200

n Mon, Aug 10, 2009 at 05:58:51PM +0200, Giuseppe Iuculano wrote:
> Hi Moritz,
> 
> Moritz Muehlenhoff wrote:
> > On Mon, Jul 13, 2009 at 08:45:03AM +0200, Andrea De Iacovo wrote:
> >> > this is fixed in upstream version 2.8.1.  please coordinate with the
> >> > security
> >> > team to prepare updates for the stable releases.
> >> 
> >> 
> >> Wordpress 2.8.1 is going to be uploaded in sid in the near future.
> >> 
> >> As for the stable release I'm going to prepare a patch and submit it so
> >> security team.
> > 
> > Likewise, what's the status?
> 
> 
> Andrea accepted my help and we will co-maintain wordpress.
> I'm preparing wordpress 2.8.3-1, could I ask you to sponsor it when ready? If
> you agree I can also set the DM-Upload-Allowed control field for future uploads.

I'm leaving to HAR 2009 soon, I'll look into it, but it might take a couple
days.

Cheers,
        Moritz

Message #41 received at 536724@bugs.debian.org (full text, mbox, reply):

From: Giuseppe Iuculano <giuseppe@iuculano.it>

To: Moritz Muehlenhoff <jmm@inutil.org>

Cc: Andrea De Iacovo <andrea.de.iacovo@gmail.com>, 536724@bugs.debian.org

Subject: Re: Bug#536724: wordpress: CORE-2009-0515 priviledges unchecked

Date: Tue, 11 Aug 2009 21:46:27 +0200

[Message part 1 (text/plain, inline)]

Moritz Muehlenhoff ha scritto:
> I'm leaving to HAR 2009 soon, I'll look into it, but it might take a couple
> days.


Thijs sponsored the upload, thanks anyway!

Cheers,
Giuseppe.

[signature.asc (application/pgp-signature, attachment)]

Message #46 received at 536724-close@bugs.debian.org (full text, mbox, reply):

From: Giuseppe Iuculano <giuseppe@iuculano.it>

To: 536724-close@bugs.debian.org

Subject: Bug#536724: fixed in wordpress 2.8.3-1

Date: Tue, 11 Aug 2009 19:48:14 +0000

Source: wordpress
Source-Version: 2.8.3-1

We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive:

wordpress_2.8.3-1.diff.gz
  to pool/main/w/wordpress/wordpress_2.8.3-1.diff.gz
wordpress_2.8.3-1.dsc
  to pool/main/w/wordpress/wordpress_2.8.3-1.dsc
wordpress_2.8.3-1_all.deb
  to pool/main/w/wordpress/wordpress_2.8.3-1_all.deb
wordpress_2.8.3.orig.tar.gz
  to pool/main/w/wordpress/wordpress_2.8.3.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 536724@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Giuseppe Iuculano <giuseppe@iuculano.it> (supplier of updated wordpress package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 11 Aug 2009 16:30:35 +0200
Source: wordpress
Binary: wordpress
Architecture: source all
Version: 2.8.3-1
Distribution: unstable
Urgency: medium
Maintainer: Andrea De Iacovo <andrea.de.iacovo@gmail.com>
Changed-By: Giuseppe Iuculano <giuseppe@iuculano.it>
Description: 
 wordpress  - weblog manager
Closes: 506685 531736 531736 533387 536724 537146 539411
Changes: 
 wordpress (2.8.3-1) unstable; urgency=medium
 .
   * [f625087] Imported Upstream version 2.8.3 (Closes: #533387, #539411)
     This release fixed several security issue:
     - Privileges unchecked and multiple information disclosures.
       (CVE-2009-2334, CVE-2009-2335, CVE-2009-2336) (Closes: #536724)
     - CVE-2009-2431, CVE-2009-2432: Obtain sensitive information
       (Closes: #537146)
     - CVE-2008-6762: Open redirect vulnerability in wp-admin/upgrade.php
       (Closes: #531736)
   * [347c164] debian/control: Added Giuseppe Iuculano in Uploaders,
     added Vcs and DM-Upload-Allowed control field
   * [92fb4ab] Bump to debhelper 7 compatibility levels
   * [5b8536e] Refreshing patches
   * [d999c0e] Added a watch file
   * [4163c0c] debian/rules: Do not remove the autosave tinymce plugin, there
     isn't anymore.
   * [9c4d0e5] debian/get-upstream-i18n: download .xpi files into
     debian/languages
   * [76b7c5c] Install language files
   * [a0bfad2] Move gettext in Build-Depends-Indep
   * [8b607bf] Use set -e instead of passing -e to the shell on the #!
     line
   * [6cbbf36] debian/patches/009CVE2008-6767.dpatch: Only admin can
     upgrade wordpress. (CVE-2008-6767) (Closes: #531736)
   * [d6adfbe] Disabled the the "please update" warning, thanks to Hans
     Spaans and Rolf Leggewie (Closes: #506685)
   * [15c360c] Updated to standards version 3.8.2 (No changes needed)
Checksums-Sha1: 
 22d37d15eaf29d4b7418cdb549c5b6338c455184 1544 wordpress_2.8.3-1.dsc
 669cdf11a1728321283c724a0207eb37653caf73 2078634 wordpress_2.8.3.orig.tar.gz
 120080cd8d4927a8dfe970c0a258805a5e3dfcbd 3384120 wordpress_2.8.3-1.diff.gz
 f951932243bd64a76f3f9a5228ba2d805eff1b8f 4215764 wordpress_2.8.3-1_all.deb
Checksums-Sha256: 
 3b4fda3ca671be0de7f60d4ee54afaa52f84f792fef39ac4010663f980e9655c 1544 wordpress_2.8.3-1.dsc
 8db730cf2e852103967a1fce49294b65168746341474b7f8b49967d2a3461c59 2078634 wordpress_2.8.3.orig.tar.gz
 b611f2da4f0bc53d7bbb62f33c211bf516f608f632416b0b43a7a9a474465f16 3384120 wordpress_2.8.3-1.diff.gz
 62baebcf7c354f7a211dcfc90a531f7c517aa1591e64038c244a1ddae8e8cdef 4215764 wordpress_2.8.3-1_all.deb
Files: 
 a59d59df4d12fb2f89aba4503f275a84 1544 web optional wordpress_2.8.3-1.dsc
 0edfb5145f4b246eed72646355c45ea0 2078634 web optional wordpress_2.8.3.orig.tar.gz
 64a0b705cda0b79255a15884a4866731 3384120 web optional wordpress_2.8.3-1.diff.gz
 1f71bb0467d528cffdc8bece1d16e43e 4215764 web optional wordpress_2.8.3-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQEcBAEBCAAGBQJKgccGAAoJECIIoQCMVaAcQz4H/AjbaQs4Q6HfdTrDAQdYAT1I
dYvWko05+qt3BFGkFDboVXgs5RRGCnhgGAkWfSu0nWiPCU/yRTegwwZgsbBFZ/vH
Xy98e4vuyo7I5yFeRDedOdINuWRDrjEQgaNYOT5vpjPx+fkeMs1Nb6pCYE758E31
4MYuVmYNFtxq6l3uwuhnaUlAME7LvT0+Nqas+wAPTU0DgmlXmGcmghm4OrRjJ11y
UMHQDyLGjsupo+GMrdTDfvQFpA9lYRGT8S8FFHikgUPDKBvfbErb1tg1IIp8FJmK
WLON7V7VK/LiY3saxj1SfG0t0khpc0PtfSa/LevsFF2i50JEYV4FLWz8Do3hyXQ=
=1Mc9
-----END PGP SIGNATURE-----

Message #51 received at 536724-close@bugs.debian.org (full text, mbox, reply):

From: Giuseppe Iuculano <giuseppe@iuculano.it>

To: 536724-close@bugs.debian.org

Subject: Bug#536724: fixed in wordpress 2.5.1-11+lenny1

Date: Sun, 23 Aug 2009 14:03:05 +0000

Source: wordpress
Source-Version: 2.5.1-11+lenny1

We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive:

wordpress_2.5.1-11+lenny1.diff.gz
  to pool/main/w/wordpress/wordpress_2.5.1-11+lenny1.diff.gz
wordpress_2.5.1-11+lenny1.dsc
  to pool/main/w/wordpress/wordpress_2.5.1-11+lenny1.dsc
wordpress_2.5.1-11+lenny1_all.deb
  to pool/main/w/wordpress/wordpress_2.5.1-11+lenny1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 536724@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Giuseppe Iuculano <giuseppe@iuculano.it> (supplier of updated wordpress package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 15 Aug 2009 13:34:19 +0200
Source: wordpress
Binary: wordpress
Architecture: source all
Version: 2.5.1-11+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Andrea De Iacovo <andrea.de.iacovo@gmail.com>
Changed-By: Giuseppe Iuculano <giuseppe@iuculano.it>
Description: 
 wordpress  - weblog manager
Closes: 531736 531736 536724
Changes: 
 wordpress (2.5.1-11+lenny1) stable-security; urgency=high
 .
   * [27cfd35] Fixed CVE-2008-6762: Force redirect after an upgrade
     (Closes: #531736)
   * [ac2490b] Fixed CVE-2008-6767.dpatch: Only admin can upgrade
     wordpress.(Closes: #531736)
   * [0ffcaaf] Fixed CVE-2009-2334 and CVE-2009-2854: Added some CYA cap checks
     (Closes: #536724)
   * [12717df] Fixed CVE-2009-2851: Sanitize HTML URLs in author comments
   * [d321ea7] Fixed CVE-2009-2853: Stop direct loading of files in wp-admin
     that should only be included
Checksums-Sha1: 
 f3012344a6557c1e151eb73c9a8675f17d615c84 1051 wordpress_2.5.1-11+lenny1.dsc
 4a8d82e9a80bc5b5c1c251e00296e93dbb364829 1181886 wordpress_2.5.1.orig.tar.gz
 ab98b6e0f13f2393afd049f82e7d694547712bf0 702119 wordpress_2.5.1-11+lenny1.diff.gz
 d9c0c7d766544efe2edb7135f0712ac568ec1d5a 1029028 wordpress_2.5.1-11+lenny1_all.deb
Checksums-Sha256: 
 e473763e11e15324bc6d142adbf57af75ae63979ea3d81c41ff44d70eac8d39d 1051 wordpress_2.5.1-11+lenny1.dsc
 3ac5b9287d61ff90f9e1f5790dcfeda490b2da21b5af9098b2f76c3e8059057b 1181886 wordpress_2.5.1.orig.tar.gz
 a43fff5f077001d4a3aadd1046f25ec2cb3efc488a85c8e90981167963c0fe82 702119 wordpress_2.5.1-11+lenny1.diff.gz
 9c923a31537fe1db6b9154215663c91b915b903d056085066925c9763560fcf8 1029028 wordpress_2.5.1-11+lenny1_all.deb
Files: 
 46d9daad717f36918e2709757523f6eb 1051 web optional wordpress_2.5.1-11+lenny1.dsc
 b1a40387006e54dcbd963d0cb5da0df4 1181886 web optional wordpress_2.5.1.orig.tar.gz
 07658ad36bed8829f58b1b6223eac294 702119 web optional wordpress_2.5.1-11+lenny1.diff.gz
 2d30e38e22761f87e23d2c85120bb1ff 1029028 web optional wordpress_2.5.1-11+lenny1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkqN5K0ACgkQ62zWxYk/rQfAfACgqEvVSiSmGfpFdzc4zPhikzbM
gbQAoKJiSQEbbzMMaDv90Kk7rWbfmNhy
=lH4H
-----END PGP SIGNATURE-----

Message #56 received at 536724-close@bugs.debian.org (full text, mbox, reply):

From: Giuseppe Iuculano <giuseppe@iuculano.it>

To: 536724-close@bugs.debian.org

Subject: Bug#536724: fixed in wordpress 2.0.10-1etch4

Date: Sun, 23 Aug 2009 14:03:09 +0000

Source: wordpress
Source-Version: 2.0.10-1etch4

We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive:

wordpress_2.0.10-1etch4.diff.gz
  to pool/main/w/wordpress/wordpress_2.0.10-1etch4.diff.gz
wordpress_2.0.10-1etch4.dsc
  to pool/main/w/wordpress/wordpress_2.0.10-1etch4.dsc
wordpress_2.0.10-1etch4_all.deb
  to pool/main/w/wordpress/wordpress_2.0.10-1etch4_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 536724@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Giuseppe Iuculano <giuseppe@iuculano.it> (supplier of updated wordpress package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 15 Aug 2009 11:58:32 +0200
Source: wordpress
Binary: wordpress
Architecture: source all
Version: 2.0.10-1etch4
Distribution: oldstable-security
Urgency: high
Maintainer: Andrea De Iacovo <andrea.de.iacovo@gmail.com>
Changed-By: Giuseppe Iuculano <giuseppe@iuculano.it>
Description: 
 wordpress  - an award winning weblog manager
Closes: 491846 500115 504234 504243 504771 531736 531736 536724
Changes: 
 wordpress (2.0.10-1etch4) oldstable-security; urgency=high
 .
   * [2ef79dd] Removed 010CVE2008-0664.patch, it caused a regression and
     wordpress 2.0.10 isn't affected by CVE-2008-0664. (Closes: #491846)
   * [abbabe9] Fixed CVE-2008-1502 _bad_protocol_once function in KSES
     allows remote attackers to conduct XSS attacks (Closes: #504243)
   * [e8a73eb] Fixed CVE-2008-4106: Whitespaces in user name are now
     checked during login. (Closes: #500115)
   * [8a2e4f9] Fixed CVE-2008-4769: Sanitize "cat" query var and cast to
     int before looking for a category template
   * [711274f] Fixed CVE-2008-4796: missing input sanitising in embedded
     copy of Snoopy.class.php (Closes: #504234)
   * [17c72c0] Fixed CVE-2008-6762: Force redirect after an upgrade
     (Closes: #531736)
   * [88d8244] Fixed CVE-2008-6767: Only admin can upgrade wordpress.
     (Closes: #531736)
   * [d5c02a9] Fixed CVE-2009-2334 and CVE-2009-2854: Added some CYA cap checks
     (Closes: #536724)
   * [80e9dbd] Fixed CVE-2008-5113: Force REQUEST to be GET + POST.  If
     SERVER, COOKIE, or ENV are needed, use those superglobals directly.
     (Closes: #504771)
   * [7f577ca] Fixed CVE-2009-2851: Sanitize HTML URLs in author comments
   * [f23d55f] Fixed CVE-2009-2853: Stop direct loading of files in wp-admin
     that should only be included
Files: 
 d9389cbc71eee6f08b15762a97c9d537 607 web optional wordpress_2.0.10-1etch4.dsc
 45349b0822fc376b8cfef51b5cec3510 50984 web optional wordpress_2.0.10-1etch4.diff.gz
 71a6aea482d0e7afb9c82701bef336e9 521060 web optional wordpress_2.0.10-1etch4_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkqN5KUACgkQ62zWxYk/rQf2XgCdFV8GR2K1YxsS+LI4qrIQVc+z
FXQAoKs1Tt+JiOHxEEM61EeSOwUpUPhw
=kQoV
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.