Debian Bug report logs -
#464170
wordpress: security flaw in xml-rpc implementation
Reported by: Nico Golde <nion@debian.org>
Date: Tue, 5 Feb 2008 16:09:01 UTC
Severity: grave
Tags: patch, security
Fixed in version wordpress/2.3.3-1
Done: Kai Hendry <hendry@iki.fi>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Kai Hendry <hendry@iki.fi>:
Bug#464170; Package wordpress.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to Kai Hendry <hendry@iki.fi>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Source: wordpress
Severity: grave
Tags: security patch
Hi Kai,
A security issue in wordpress' xml-rpc implementation was
found[0]:
| WordPress 2.3.3 is an urgent security release. A flaw was
| found in our XML-RPC implementation such that a specially
| crafted request would allow any valid user to edit posts of
| any other user on that blog.
Looking at the latest changes on xml-rpc the following
changesets seem to be relevant:
http://trac.wordpress.org/changeset/6709
http://trac.wordpress.org/changeset/6714
Upstream ticket:
http://trac.wordpress.org/ticket/5313
A CVE id is currently pending for this.
For further information:
[0] http://wordpress.org/development/2008/02/wordpress-233/
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Reply sent to Kai Hendry <hendry@iki.fi>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #10 received at 464170-close@bugs.debian.org (full text, mbox, reply):
Source: wordpress
Source-Version: 2.3.3-1
We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive:
wordpress_2.3.3-1.diff.gz
to pool/main/w/wordpress/wordpress_2.3.3-1.diff.gz
wordpress_2.3.3-1.dsc
to pool/main/w/wordpress/wordpress_2.3.3-1.dsc
wordpress_2.3.3-1_all.deb
to pool/main/w/wordpress/wordpress_2.3.3-1_all.deb
wordpress_2.3.3.orig.tar.gz
to pool/main/w/wordpress/wordpress_2.3.3.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 464170@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Kai Hendry <hendry@iki.fi> (supplier of updated wordpress package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 05 Feb 2008 16:22:57 +0000
Source: wordpress
Binary: wordpress
Architecture: source all
Version: 2.3.3-1
Distribution: unstable
Urgency: high
Maintainer: Kai Hendry <hendry@iki.fi>
Changed-By: Kai Hendry <hendry@iki.fi>
Description:
wordpress - weblog manager
Closes: 464170
Changes:
wordpress (2.3.3-1) unstable; urgency=high
.
* New upstream security release
* http://wordpress.org/development/2008/02/wordpress-233/
* Fix for security flaw in XML-RPC implementation (Closes: #464170) and
http://trac.wordpress.org/ticket/5313
Files:
426d51b79675cfc2928a3f1c08607d63 650 web optional wordpress_2.3.3-1.dsc
19518de1117aa68f0c3de84b6858efc3 884898 web optional wordpress_2.3.3.orig.tar.gz
785942170e1b93d5398b013695e02329 10675 web optional wordpress_2.3.3-1.diff.gz
59d2a9ac4d3d451cfb6b3bc382c39cf1 873074 web optional wordpress_2.3.3-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHqJL5HYflSXNkfP8RAhVpAJ0bsis9MYEmkWCJiIYSL5pVcszLDQCeLBQx
vOynt/f8RhRr8Lr5d+Y0tKw=
=XMLN
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org, Kai Hendry <hendry@iki.fi>:
Bug#464170; Package wordpress.
(full text, mbox, link).
Acknowledgement sent to Lionel Elie Mamane <lionel@mamane.lu>:
Extra info received and forwarded to list. Copy sent to Kai Hendry <hendry@iki.fi>.
(full text, mbox, link).
Message #15 received at 464170@bugs.debian.org (full text, mbox, reply):
Hi,
Is something happening for CVE-2008-0664 (wordpress xml-rpc can edit
other user's posts) on etch? Has someone determined etch is not
vulnerable, is an update being prepared, ...?
--
Lionel
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 15 Mar 2008 07:30:01 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:06:56 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon