Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <53E2F5B5.5090409@redhat.com>
Date: Wed, 06 Aug 2014 21:42:45 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
Subject: WordPress 3.9.2 release - needs CVE's

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://wordpress.org/news/2014/08/wordpress-3-9-2/

WordPress 3.9.2 is now available as a security release for all
previous versions. We strongly encourage you to update your sites
immediately.

This release fixes a possible denial of service issue in PHP?s XML
processing, reported by Nir Goldshlager of the Salesforce.com Product
Security Team. It  was fixed by Michael Adams and Andrew Nacin of the
WordPress security team and David Rothstein of the Drupal security
team. This is the first time our two projects have coordinated on
joint security releases.

WordPress 3.9.2 also contains other security changes:

- -Fixes a possible but unlikely code execution when processing widgets
(WordPress is not affected by default), discovered by Alex Concha of
the WordPress security team.

- -Prevents information disclosure via XML entity attacks in the
external GetID3 library, reported by Ivan Novikov of ONSec.

- -Adds protections against brute attacks against CSRF tokens, reported
by David Tomaschik of the Google Security Team.

- -Contains some additional security hardening, like preventing
cross-site scripting that could be triggered only by administrators.


- -- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJT4vW1AAoJEBYNRVNeJnmT+A0QAM2EA4lPv2X2GjXrN0vBwd34
t6ZsERENU8NubiJ2hkItzkOo6vMQbU3gBETPApLbh/lpqQ1FttNjujv08jtSvKwq
XK8eiXICIHO7XkY1mjiNfjhQqiFpG/r0X6Kr2xmJbOUGjc+WpJ4oik+RMwYz8Ly5
hsKNbUKOj5Umf6XCFr/dDTABSZgXSF52BdD2c6Rdg7jqSk+t+zww6QaqJteCgrcF
SUOBFv46aDpQB9/3koCu8xjzwW7lvLIjxIOzHilNPx3HDf5SYffQqsrPpN4IJmTk
Ven68s4yNelxSW1cKfIgbN1aNxy8p68cZLzPPkpMcMZ2i0HjSmB7Vjf0bDhuw8XA
nds/Oz3L3+86gMs3yjnJ8EnFhLxmqXRvJaR+mJoVbUnw7JZaHgVKdt0LYTUkY3/E
sGFGP/6mrG0SDix7HdaV84RxLTL6gLOa68WnkdZFXiQL3dVw4GiJMugHrgI+DWZh
2+wOp2qeqXoguy+RE4yoN2DNs0kRe+MeGYjVhUKoYLfAZ1KEMpnpRvDXqm7OBNXc
8YBSVDfYn3uw2JwpLMHHWbV4wUeuS6GSqlzuFnagrOoEe+oD4kCnMXlnq2r3ZB2a
rqHK4zrVjG2NKw4J6U/L6bdxqjVpXg1zQCjWDGQQTYjZeUK79Us5vIeN11qsuM3i
vRjxbAWaIGTmkdUXepdQ
=88AQ
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.