wordpress: CVE-2008-3747 information leak, does not always force ssl

Debian Bug report logs - #497216
wordpress: CVE-2008-3747 information leak, does not always force ssl

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: submit@bugs.debian.org

Subject: wordpress: CVE-2008-3747 information leak, does not always force ssl

Date: Sun, 31 Aug 2008 00:50:55 +0200

[Message part 1 (text/plain, inline)]

Package: wordpress
Severity: grave
Tags: security patch

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for wordpress.

CVE-2008-3747[0]:
| The (1) get_edit_post_link and (2) get_edit_comment_link functions in
| wp-includes/link-template.php in WordPress before 2.6.1 do not force
| SSL communication in the intended situations, which might allow remote
| attackers to gain administrative access by sniffing the network for a
| cookie.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

There is a patch on: http://trac.wordpress.org/attachment/ticket/7359/edit_links_ssl.diff

Please ping me via private mail if you need a sponsor for 
the upload.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3747
    http://security-tracker.debian.net/tracker/CVE-2008-3747

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #10 received at submit@bugs.debian.org (full text, mbox, reply):

From: Andrea De Iacovo <andrea.de.iacovo@gmail.com>

To: Nico Golde <nion@debian.org>, 497216@bugs.debian.org

Cc: submit@bugs.debian.org

Subject: Re: Bug#497216: wordpress: CVE-2008-3747 information leak, does not always force ssl

Date: Sun, 31 Aug 2008 08:33:51 +0200

[Message part 1 (text/plain, inline)]

> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for wordpress.

Hello and thank you for reporting.

> There is a patch on: http://trac.wordpress.org/attachment/ticket/7359/edit_links_ssl.diff

The patch appears to be good. I should be able to provide the new
package very soon.

Thank you again.

Cheers.

Andrea De Iacovo

[signature.asc (application/pgp-signature, inline)]

Message #20 received at 497216@bugs.debian.org (full text, mbox, reply):

From: Andrea De Iacovo <andrea.de.iacovo@gmail.com>

To: Nico Golde <nion@debian.org>, 497216@bugs.debian.org

Subject: Re: Bug#497216: wordpress: CVE-2008-3747 information leak, does not always force ssl

Date: Sun, 31 Aug 2008 09:18:20 +0200

[Message part 1 (text/plain, inline)]

Hi

I've made a new wordpress package [1] to fix cve-2008-3747. Could you
please upload it?

[1]: http://mentors.debian.net/debian/pool/main/w/wordpress


Thank you very much.

Cheers

Andrea De Iacovo

[signature.asc (application/pgp-signature, inline)]

Message #25 received at 497216@bugs.debian.org (full text, mbox, reply):

From: Thijs Kinkhorst <thijs@debian.org>

To: 497216@bugs.debian.org

Cc: Nico Golde <nion@debian.org>

Subject: Re: Bug#497216: wordpress: CVE-2008-3747 information leak, does not always force ssl

Date: Sun, 31 Aug 2008 11:19:47 +0200

[Message part 1 (text/plain, inline)]

> I've made a new wordpress package [1] to fix cve-2008-3747. Could you
> please upload it?

uploaded, thanks!


Thijs

[Message part 2 (application/pgp-signature, inline)]

Message #30 received at 497216-close@bugs.debian.org (full text, mbox, reply):

From: Andrea De Iacovo <andrea.de.iacovo@gmail.com>

To: 497216-close@bugs.debian.org

Subject: Bug#497216: fixed in wordpress 2.5.1-6

Date: Sun, 31 Aug 2008 09:32:09 +0000

Source: wordpress
Source-Version: 2.5.1-6

We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive:

wordpress_2.5.1-6.diff.gz
  to pool/main/w/wordpress/wordpress_2.5.1-6.diff.gz
wordpress_2.5.1-6.dsc
  to pool/main/w/wordpress/wordpress_2.5.1-6.dsc
wordpress_2.5.1-6_all.deb
  to pool/main/w/wordpress/wordpress_2.5.1-6_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 497216@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andrea De Iacovo <andrea.de.iacovo@gmail.com> (supplier of updated wordpress package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 31 Aug 2008 09:02:22 +0200
Source: wordpress
Binary: wordpress
Architecture: source all
Version: 2.5.1-6
Distribution: unstable
Urgency: high
Maintainer: Andrea De Iacovo <andrea.de.iacovo@gmail.com>
Changed-By: Andrea De Iacovo <andrea.de.iacovo@gmail.com>
Description: 
 wordpress  - weblog manager
Closes: 497216
Changes: 
 wordpress (2.5.1-6) unstable; urgency=high
 .
   * Added patch to fix remote attack vulnerability (Closes: #497216)
   	Attackers could gain administrative powers by sniffing cookies.
   	This patch force wordpress over a ssl connection to prevent
   	this issue. (CVE-2008-3747)
Checksums-Sha1: 
 0b399bf76f49d1d74a9a875917b94671c5b0679f 1311 wordpress_2.5.1-6.dsc
 c4bb5e008264d42733f662df57e1d4259def931f 694865 wordpress_2.5.1-6.diff.gz
 6af28a8c4d10675140d46d26ec398d26067af3c7 1039514 wordpress_2.5.1-6_all.deb
Checksums-Sha256: 
 e6e21534c00cda5c8f8ee04db1c49ddd0624591c9c4c37db861a90be9d59c726 1311 wordpress_2.5.1-6.dsc
 12eff0852f2a896f8c172802a41892f56cd7a1a98abd503c85933d5eb5f65eb7 694865 wordpress_2.5.1-6.diff.gz
 b2f01530ce50ad989856683e6b8d386e3c1cbb96d56db74f744d894ed96be991 1039514 wordpress_2.5.1-6_all.deb
Files: 
 5ac323c14c0bfdfa1fa518a63c480777 1311 web optional wordpress_2.5.1-6.dsc
 703c956a6105e42f3958e673e03c01a0 694865 web optional wordpress_2.5.1-6.diff.gz
 6b23f20283b960f882a4b4dc66024d3c 1039514 web optional wordpress_2.5.1-6_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQEcBAEBAgAGBQJIumH6AAoJEGz0hbPcukPfqE4H/jopMqOgdbQ7KS1YJyg6gJmv
AJFop+rrCaKU0ciQBbz0hx4MHn6mA+P/IiS4JQJSDsHcbHdwAt8V+EjVY+yBVcwx
PTLDTBsnX6i3ObqumpWZIznfxZvBHT4qQQpQR3aNFMUZsdQH34YX6EV9KpP+CFqO
UlraLwuw123pkwbAPGPJ585T9Hno80MMMeOnaUYUsqNqr8CxKj86RuN45rrpIg7Q
sQJ9SBNkSjKZuZkWa6bKMQYyhQBSTMbxo80jiUSzqwnxX77k/smlfI4HhjYEmQ8r
qnImgb5/80Q9C3NljYbepbDwAj8u1OuOQCq0VOlA3aqHEUVYj0kWeab8HZcsdJQ=
=l9hs
-----END PGP SIGNATURE-----

Message #35 received at 497216@bugs.debian.org (full text, mbox, reply):

From: Peichert <peichert@gmail.com>

To: 497216@bugs.debian.org

Subject: Re: Bug#497216: fixed in wordpress 2.5.1-6

Date: Tue, 2 Sep 2008 12:31:07 +0200

Hi,

after Upgrading from  2.5.1-5 to 2.5.1-6 from sid/unstable
repositories the Blog where broken.Page output halted suddenly behind
the first blog post if an admin ist logged in. After logging out, blog
works fine.

Errorlog: [Mon Sep 01 12:37:25 2008] [error] [client ...] PHP Fatal
error:  Call to undefined function admin_url() in
/usr/share/wordpress/wp-includes/link-template.php on line 470

It seems, that the patch to wp-includes/link-template.php use a
function admin_url() which is only available since version 2.6 of
wordpress.

greetings,
Peichert

Message #40 received at 497216@bugs.debian.org (full text, mbox, reply):

From: Andrea De Iacovo <andrea.de.iacovo@gmail.com>

To: 497216@bugs.debian.org

Cc: control@bugs.debian.org

Subject: Re: Bug#497216: fixed in wordpress 2.5.1-6

Date: Tue, 02 Sep 2008 14:15:22 +0200

[Message part 1 (text/plain, inline)]

severity 497216 grave

thanks

As you noticed the bug is due to an erroneous use of the admin_url()
function.
I'll fix the bug as soon as possible; in the meanwhile use version
2.5.1-5 from lenny please.

Thank you very much for reporting and sorry for the bad upgrade.

Regards.

Andrea De Iacovo

[signature.asc (application/pgp-signature, inline)]

Message #47 received at 497216@bugs.debian.org (full text, mbox, reply):

From: Andrea De Iacovo <andrea.de.iacovo@gmail.com>

To: 497216@bugs.debian.org

Cc: control@bugs.debian.org

Subject: Re: Bug#497216: fixed in wordpress 2.5.1-6

Date: Thu, 04 Sep 2008 07:49:52 +0200

severity 497216 grave

thanks

As you noticed the bug is due to an erroneous use of the admin_url()
function.
I'll fix the bug as soon as possible; in the meanwhile use version
2.5.1-5 from lenny please.

Thank you very much for reporting and sorry for the bad upgrade.

Regards.

Andrea De Iacovo

Message #50 received at 497216-done@bugs.debian.org (full text, mbox, reply):

From: Andrea De Iacovo <andrea.de.iacovo@gmail.com>

To: 497216-done@bugs.debian.org

Date: Fri, 12 Sep 2008 07:55:51 +0200

[Message part 1 (text/plain, inline)]

The bug has been solve with the last wordpress upload.

I'm going to contact the release manager to bring the final version in
lenny as soon as possibile.

Cheers.

Andrea De Iacovo

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.