Debian Bug report logs -
#541102
Remote users may reset the admin password
Reported by: Daniel Leidert <daniel.leidert@wgdd.de>
Date: Tue, 11 Aug 2009 18:33:02 UTC
Severity: important
Tags: patch, security
Found in version wordpress/2.7.1-2
Fixed in version wordpress/2.8.3-2
Done: Giuseppe Iuculano <giuseppe@iuculano.it>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Andrea De Iacovo <andrea.de.iacovo@gmail.com>:
Bug#541102; Package wordpress.
(Tue, 11 Aug 2009 18:33:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Daniel Leidert <daniel.leidert@wgdd.de>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Andrea De Iacovo <andrea.de.iacovo@gmail.com>.
(Tue, 11 Aug 2009 18:33:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: wordpress
Version: 2.7.1-2
Severity: grave
Tags: security patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The original report says, that the issue can be used to compromise the
admin account. In a newer version it is said, that this is not possible.
But I set severity to grave for the moment. Please decide on your own.
http://lists.grok.org.uk/pipermail/full-disclosure/2009-August/070137.html
http://core.trac.wordpress.org/changeset/11798
The vulnerability AFAIK applies to all versions, including version 2.8.3.
CVE number currently unknown.
Regards, Daniel
- -- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (850, 'unstable'), (700, 'testing'), (550, 'stable'), (110, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.29-2-686 (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages wordpress depends on:
ii apache2 2.2.12-1 Apache HTTP Server metapackage
ii apache2-mpm-prefork [htt 2.2.12-1 Apache HTTP Server - traditional n
ii libapache2-mod-php5 5.2.10.dfsg.1-2 server-side, HTML-embedded scripti
ii libjs-jquery 1.3.3-1 JavaScript library for dynamic web
pn libjs-prototype <none> (no description available)
pn libjs-scriptaculous <none> (no description available)
pn libphp-phpmailer <none> (no description available)
pn libphp-snoopy <none> (no description available)
ii php5 5.2.10.dfsg.1-2 server-side, HTML-embedded scripti
pn php5-gd | php4-gd <none> (no description available)
pn php5-mysql | php4-mysql <none> (no description available)
pn tinymce <none> (no description available)
pn virtual-mysql-client <none> (no description available)
wordpress recommends no packages.
Versions of packages wordpress suggests:
pn virtual-mysql-server <none> (no description available)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkqBt7cACgkQm0bx+wiPa4wKHQCeIaaLmxs52dNnGLq7YKLQeOhW
7E0An3w73ZMRvCi+9KJyDpf7+P1pVtSX
=CwaB
-----END PGP SIGNATURE-----
Severity set to 'important' from 'grave'
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Tue, 11 Aug 2009 18:42:08 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Andrea De Iacovo <andrea.de.iacovo@gmail.com>:
Bug#541102; Package wordpress.
(Tue, 11 Aug 2009 19:06:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Richard van den Berg <richard@vdberg.org>:
Extra info received and forwarded to list. Copy sent to Andrea De Iacovo <andrea.de.iacovo@gmail.com>.
(Tue, 11 Aug 2009 19:06:02 GMT) (full text, mbox, link).
Message #12 received at 541102@bugs.debian.org (full text, mbox, reply):
I tried the URL from the advisory on my wordpress 2.7.1-2 blog, and it
said the key was invalid. The admin password was not reset.
Regards,
Richard
Message sent on
to Daniel Leidert <daniel.leidert@wgdd.de>:
Bug#541102.
(Tue, 11 Aug 2009 19:21:10 GMT) (full text, mbox, link).
Message #15 received at 541102-submitter@bugs.debian.org (full text, mbox, reply):
severity 541102 important
thanks
On Tue, 11 Aug 2009 20:26:03 +0200, Daniel Leidert wrote:
> The original report says, that the issue can be used to compromise the
> admin account. In a newer version it is said, that this is not possible.
> But I set severity to grave for the moment. Please decide on your own.
>
> http://lists.grok.org.uk/pipermail/full-disclosure/2009-August/070137.html
> http://core.trac.wordpress.org/changeset/11798
>
> The vulnerability AFAIK applies to all versions, including version 2.8.3.
> CVE number currently unknown.
i agree that there is some concern here. if i were running wordpress,
i would not want an attacker to be able change my account's password
without authentication. however, this is not grave since it does not
give the attacker access to any functionality outside of wordpress.
maintainer, will you work on preparing updates for unstable and the next
stable/oldstable point releases? please coordinate with the security
team on that.
mike
Reply sent
to Giuseppe Iuculano <giuseppe@iuculano.it>:
You have taken responsibility.
(Wed, 12 Aug 2009 17:03:15 GMT) (full text, mbox, link).
Notification sent
to Daniel Leidert <daniel.leidert@wgdd.de>:
Bug acknowledged by developer.
(Wed, 12 Aug 2009 17:03:15 GMT) (full text, mbox, link).
Message #20 received at 541102-close@bugs.debian.org (full text, mbox, reply):
Source: wordpress
Source-Version: 2.8.3-2
We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive:
wordpress_2.8.3-2.diff.gz
to pool/main/w/wordpress/wordpress_2.8.3-2.diff.gz
wordpress_2.8.3-2.dsc
to pool/main/w/wordpress/wordpress_2.8.3-2.dsc
wordpress_2.8.3-2_all.deb
to pool/main/w/wordpress/wordpress_2.8.3-2_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 541102@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Giuseppe Iuculano <giuseppe@iuculano.it> (supplier of updated wordpress package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 12 Aug 2009 18:18:52 +0200
Source: wordpress
Binary: wordpress
Architecture: source all
Version: 2.8.3-2
Distribution: unstable
Urgency: medium
Maintainer: Andrea De Iacovo <andrea.de.iacovo@gmail.com>
Changed-By: Giuseppe Iuculano <giuseppe@iuculano.it>
Description:
wordpress - weblog manager
Closes: 541102 541199
Changes:
wordpress (2.8.3-2) unstable; urgency=medium
.
* [2372863] debian/patches/011enforce_activaction_key.dpatch: Enforce
activation key to be a string (Closes: #541102)
* [cb80386] Fixed CVE-2008-6767 patch and prevent redirect loop.
(Closes: #541199)
Checksums-Sha1:
8c9c4cf99023fbb7e017d66ec9caec5139894af5 1250 wordpress_2.8.3-2.dsc
419554a82c1379511b0dc6851c8be67cbc51ba3d 3385452 wordpress_2.8.3-2.diff.gz
dd5dc5255ad7c0c782b5cb26fbcdaffd68f6d250 4210766 wordpress_2.8.3-2_all.deb
Checksums-Sha256:
0d710f93f08c537d0ae2ab9c3dc9fcb47310143c97fa28d3961c21e26d1853cc 1250 wordpress_2.8.3-2.dsc
00027556ebcba2c233ac2ad1e4a7f68b40547fb3f06c2f2b84c25a2926241a70 3385452 wordpress_2.8.3-2.diff.gz
057cc3cb65a05a41c022ec9cf94ba078ac57877e78114a3ca25e8703885d4c88 4210766 wordpress_2.8.3-2_all.deb
Files:
840471b825ba0a8349581841dd78185b 1250 web optional wordpress_2.8.3-2.dsc
f51f1901a7c22069c2aa466f20ed9f48 3385452 web optional wordpress_2.8.3-2.diff.gz
4e049bc97af966d4d29c2d8eae2cb743 4210766 web optional wordpress_2.8.3-2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkqC7M8ACgkQNxpp46476arC5ACeJeQautFZB1Fj75YNKcHUF+Rl
wGcAoJVDIN0447w6MeHWGDCyfIg8sIxk
=14Ar
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 15 Sep 2009 07:44:23 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:25:22 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon