Debian Bug report logs -
#722537
wordpress: CVE-2013-4338 CVE-2013-4339 CVE-2013-4340
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 12 Sep 2013 05:30:02 UTC
Severity: grave
Tags: fixed-upstream, patch, security, upstream
Found in version wordpress/3.5.1+dfsg-2
Fixed in versions 3.6.1+dfsg-1, wordpress/3.6.1+dfsg-1~deb6u1
Done: Yves-Alexis Perez <corsac@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Giuseppe Iuculano <iuculano@debian.org>
:
Bug#722537
; Package wordpress
.
(Thu, 12 Sep 2013 05:30:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Giuseppe Iuculano <iuculano@debian.org>
.
(Thu, 12 Sep 2013 05:30:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: wordpress
Severity: grave
Tags: security upstream patch fixed-upstream
Hi,
the following vulnerabilities were published for wordpress.
CVE-2013-4338[0]:
Unsafe PHP unserialization
CVE-2013-4339[1]:
Open Redirect / Insufficient Input Validation
CVE-2013-4340[2]:
Privilege Escalation
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4338
[0] http://security-tracker.debian.org/tracker/CVE-2013-4338
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4339
http://security-tracker.debian.org/tracker/CVE-2013-4339
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4340
http://security-tracker.debian.org/tracker/CVE-2013-4340
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as found in versions wordpress/3.5.1+dfsg-2.
Request was from Raphaël Hertzog <hertzog@debian.org>
to control@bugs.debian.org
.
(Thu, 12 Sep 2013 21:45:08 GMT) (full text, mbox, link).
Reply sent
to Raphael Hertzog <hertzog@debian.org>
:
You have taken responsibility.
(Thu, 12 Sep 2013 21:54:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Thu, 12 Sep 2013 21:54:05 GMT) (full text, mbox, link).
Message #12 received at 722537-done@bugs.debian.org (full text, mbox, reply):
Version: 3.6.1+dfsg-1
On Thu, 12 Sep 2013, Salvatore Bonaccorso wrote:
> If you fix the vulnerabilities please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
I had prepared an upload before seeing this bug so the changelog entry
doesn't reference it and I'm closing it manually. Squeeze and wheezy
are also affected though.
> Please adjust the affected versions in the BTS as needed.
Done.
Cheers,
--
Raphaël Hertzog ◈ Debian Developer
Discover the Debian Administrator's Handbook:
→ http://debian-handbook.info/get/
Added tag(s) pending.
Request was from Yves-Alexis Perez <corsac@debian.org>
to control@bugs.debian.org
.
(Fri, 13 Sep 2013 21:12:12 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug#722537.
(Fri, 13 Sep 2013 21:12:16 GMT) (full text, mbox, link).
Message #17 received at 722537-submitter@bugs.debian.org (full text, mbox, reply):
tag 722537 pending
thanks
Hello,
Bug #722537 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:
http://git.debian.org/?p=collab-maint/wordpress.git;a=commitdiff;h=6496a33
---
commit 6496a33c1dfe723e736bf51bbc25d9a5edb110ae
Author: Yves-Alexis Perez <corsac@debian.org>
Date: Fri Sep 13 22:18:29 2013 +0200
Add changelog entry for Squeeze upload.
* Non-maintainer upload by the Security Team.
* Import wordpress from Jessie to fix all the security issues present in
Squeeze.
- update to Wordpress 3.6.1 closes: #722537
+ CVE-2013-4338: unsafe PHP unserialization can causes arbitrary code
execution.
+ CVE-2013-4339: unproper input validation in URL parsing can lead to
arbitrary redirection.
+ CVE-2013-4340: privilege escalation allowing an user with an author
role to create an entry appearing as written by another user.
+ CVE-2013-5738: authenticated users can conduct cross-site scripting
attacks (XSS) using crafted html file uploads.
+ CVE-2013-5739: default Wordpress configuration doesn't prevent upload
for .swf and .exe files, making it easier for authenticated users to
conduct XSS attacks.
diff --git a/debian/changelog b/debian/changelog
index 45995a5..00ac201 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,23 @@
+wordpress (3.6.1+dfsg-1~deb6u1) UNRELEASED; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * Import wordpress from Jessie to fix all the security issues present in
+ Squeeze.
+ - update to Wordpress 3.6.1 closes: #722537
+ + CVE-2013-4338: unsafe PHP unserialization can causes arbitrary code
+ execution.
+ + CVE-2013-4339: unproper input validation in URL parsing can lead to
+ arbitrary redirection.
+ + CVE-2013-4340: privilege escalation allowing an user with an author
+ role to create an entry appearing as written by another user.
+ + CVE-2013-5738: authenticated users can conduct cross-site scripting
+ attacks (XSS) using crafted html file uploads.
+ + CVE-2013-5739: default Wordpress configuration doesn't prevent upload
+ for .swf and .exe files, making it easier for authenticated users to
+ conduct XSS attacks.
+
+ -- Yves-Alexis Perez <corsac@debian.org> Fri, 13 Sep 2013 21:47:46 +0200
+
wordpress (3.6.1+dfsg-1) unstable; urgency=high
* New upstream security release.
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug#722537.
(Sat, 14 Sep 2013 09:21:06 GMT) (full text, mbox, link).
Message #20 received at 722537-submitter@bugs.debian.org (full text, mbox, reply):
tag 722537 pending
thanks
Hello,
Bug #722537 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:
http://git.debian.org/?p=collab-maint/wordpress.git;a=commitdiff;h=a8fbc2c
---
commit a8fbc2c80e478c47229a69fb6fccf246c3752e21
Author: Yves-Alexis Perez <corsac@debian.org>
Date: Fri Sep 13 22:18:29 2013 +0200
Add changelog entry for Squeeze upload.
* Non-maintainer upload by the Security Team.
* Import wordpress from Jessie to fix all the security issues present in
Squeeze.
- update to Wordpress 3.6.1 closes: #722537
+ CVE-2013-4338: unsafe PHP unserialization can causes arbitrary code
execution.
+ CVE-2013-4339: unproper input validation in URL parsing can lead to
arbitrary redirection.
+ CVE-2013-4340: privilege escalation allowing an user with an author
role to create an entry appearing as written by another user.
+ CVE-2013-5738: authenticated users can conduct cross-site scripting
attacks (XSS) using crafted html file uploads.
+ CVE-2013-5739: default Wordpress configuration doesn't prevent upload
for .swf and .exe files, making it easier for authenticated users to
conduct XSS attacks.
diff --git a/debian/changelog b/debian/changelog
index 45995a5..300cea6 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,22 @@
+wordpress (3.6.1+dfsg-1~deb6u1) UNRELEASED; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * Import Wordpress 3.6.1 from Jessie to fix all the security issues present
+ in Squeeze: closes: #722537
+ - CVE-2013-4338: unsafe PHP unserialization can causes arbitrary code
+ execution.
+ - CVE-2013-4339: unproper input validation in URL parsing can lead to
+ arbitrary redirection.
+ - CVE-2013-4340: privilege escalation allowing an user with an author role
+ to create an entry appearing as written by another user.
+ - CVE-2013-5738: authenticated users can conduct cross-site scripting
+ attacks (XSS) using crafted html file uploads.
+ - CVE-2013-5739: default Wordpress configuration doesn't prevent upload
+ for .swf and .exe files, making it easier for authenticated users to
+ conduct XSS attacks.
+
+ -- Yves-Alexis Perez <corsac@debian.org> Fri, 13 Sep 2013 21:47:46 +0200
+
wordpress (3.6.1+dfsg-1) unstable; urgency=high
* New upstream security release.
Information forwarded
to debian-bugs-dist@lists.debian.org, Giuseppe Iuculano <iuculano@debian.org>
:
Bug#722537
; Package wordpress
.
(Thu, 17 Oct 2013 13:54:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Steven Chamberlain <steven@pyro.eu.org>
:
Extra info received and forwarded to list. Copy sent to Giuseppe Iuculano <iuculano@debian.org>
.
(Thu, 17 Oct 2013 13:54:04 GMT) (full text, mbox, link).
Message #25 received at 722537@bugs.debian.org (full text, mbox, reply):
> CVE-2013-4338[0]:
> Unsafe PHP unserialization
https://core.trac.wordpress.org/changeset/25325
It is very vague how that was a security bug.
The code change doesn't actually make the default mode of
is_serialized() any stricter, that is unchanged. Rather, it implements
a new, more-relaxed check that can be used to prevent something being
stored in MySQL which, after being truncated due to another bug,
something else might be able to wrongly deserialise later... it's a
very poor way to fix what is really unsafe coding all over the place.
It mitigates this specific exploit though.
The original researcher explains the original vulnerability here:
http://vagosec.org/2013/09/wordpress-php-object-injection/
Regards,
--
Steven Chamberlain
steven@pyro.eu.org
Reply sent
to Yves-Alexis Perez <corsac@debian.org>
:
You have taken responsibility.
(Sat, 08 Feb 2014 23:21:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Sat, 08 Feb 2014 23:21:05 GMT) (full text, mbox, link).
Message #30 received at 722537-close@bugs.debian.org (full text, mbox, reply):
Source: wordpress
Source-Version: 3.6.1+dfsg-1~deb6u1
We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 722537@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yves-Alexis Perez <corsac@debian.org> (supplier of updated wordpress package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 14 Sep 2013 10:30:29 +0200
Source: wordpress
Binary: wordpress wordpress-l10n
Architecture: source all
Version: 3.6.1+dfsg-1~deb6u1
Distribution: squeeze-security
Urgency: high
Maintainer: Giuseppe Iuculano <iuculano@debian.org>
Changed-By: Yves-Alexis Perez <corsac@debian.org>
Description:
wordpress - weblog manager
wordpress-l10n - weblog manager - language files
Closes: 722537
Changes:
wordpress (3.6.1+dfsg-1~deb6u1) squeeze-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Import Wordpress 3.6.1 from Jessie to fix all the security issues present
in Squeeze: closes: #722537
- CVE-2013-4338: unsafe PHP unserialization can causes arbitrary code
execution.
- CVE-2013-4339: unproper input validation in URL parsing can lead to
arbitrary redirection.
- CVE-2013-4340: privilege escalation allowing an user with an author role
to create an entry appearing as written by another user.
- CVE-2013-5738: authenticated users can conduct cross-site scripting
attacks (XSS) using crafted html file uploads.
- CVE-2013-5739: default Wordpress configuration doesn't prevent upload
for .swf and .exe files, making it easier for authenticated users to
conduct XSS attacks.
Checksums-Sha1:
040a70f20d0cf0f2970d9f63f10cee5cfd9486aa 1780 wordpress_3.6.1+dfsg-1~deb6u1.dsc
997fd2158cd14bd29a5598a81c780db34f7173f7 3214412 wordpress_3.6.1+dfsg.orig.tar.xz
e35710cc448855680625f2494257779551d152e8 11013851 wordpress_3.6.1+dfsg-1~deb6u1.debian.tar.gz
8b7a39162d8e978029c4f9a6c0ec6079868939ff 3989552 wordpress_3.6.1+dfsg-1~deb6u1_all.deb
866298b8e5dc7ab890b9a087779f2e17cfba7869 8859512 wordpress-l10n_3.6.1+dfsg-1~deb6u1_all.deb
Checksums-Sha256:
4da43dff7a3390e81b1f8fdab6a352d05ce76cd57ff9505ab7d069d099fe217b 1780 wordpress_3.6.1+dfsg-1~deb6u1.dsc
20714525a688eadd649e2e497b4cd300870445867e1f8b3305b49da5ca55b50d 3214412 wordpress_3.6.1+dfsg.orig.tar.xz
901c76616e68290d6a7d6b6f163549a13818d7705a3f81a5895165d163bf4a36 11013851 wordpress_3.6.1+dfsg-1~deb6u1.debian.tar.gz
4ab6406703fc6715c5fabd03297c91eb0fc891047b901206a95c5ebebe14255e 3989552 wordpress_3.6.1+dfsg-1~deb6u1_all.deb
6ccd3ff5259953fa791eb9a65c451821b9034a48bd6876fc147e17ec97b6ab81 8859512 wordpress-l10n_3.6.1+dfsg-1~deb6u1_all.deb
Files:
3de8613f1ab97dcbecbdf7a84f9cdada 1780 web optional wordpress_3.6.1+dfsg-1~deb6u1.dsc
4fbd2c241f5d7075b115dfba1b130bfa 3214412 web optional wordpress_3.6.1+dfsg.orig.tar.xz
ca958a33d1472d748eae52a79196df28 11013851 web optional wordpress_3.6.1+dfsg-1~deb6u1.debian.tar.gz
3c2875f0b029dd6ce76b39897f548efc 3989552 web optional wordpress_3.6.1+dfsg-1~deb6u1_all.deb
b55cd30ea279c0b1e1ea4653acf37391 8859512 localization optional wordpress-l10n_3.6.1+dfsg-1~deb6u1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.21 (GNU/Linux)
iQEcBAEBCgAGBQJSNB+wAAoJEG3bU/KmdcClzo4IAI9UtZkS10Tjjoe3ehtt23AM
7RLhZtTVAfwEWL/lvrpipE8Vajaef79eXH07F5PwXD9kATu6rU/10/ONUf3PCgXD
8Lw/+Rembm3aPacLnfz21t15Js6uQTWvdDn/JzcT/8MLsMrWI80jpgoVstqixpGL
gxRuRKNsZFirShDF4lSGLM3lEnRF1k0I9D3SlvcUJChuSKNhdLx7Q1YK2Hqx6JkB
V1fBnYq7RGLX8jyx6W/JuRQ7zd9JWeiwIBgDx0Hhbb2as2SSc0PuwI+o9YRW7vgz
Sze7jVqD/VgxounhEmEZ/fBLVVT6MtAjXH5LMlGcbHIINzsPJVjBjr+4Oa/d/is=
=r28f
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 09 Mar 2014 07:28:47 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:24:03 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.