Summary: | www-apps/wordpress XSS vulnerability (CVE-2007-1049) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Pierre-Yves Rofes (RETIRED) <py> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED DUPLICATE | ||
Severity: | normal | CC: | beandog, kccricket, moixa, peter.westwood, security, sgtphou |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | m68k | ||
OS: | Linux | ||
URL: | http://secunia.com/advisories/24306/ | ||
Whiteboard: | B4 [maskglsa] DerCorny | ||
Package list: | Runtime testing required: | --- |
Description
Pierre-Yves Rofes (RETIRED)
2007-02-26 12:44:46 UTC
hi, given that >=2.1 is masked because it needs more testing and considering the long list of security bugs, i would like to mask the whole package. Comments? I agree, and see bug 163817 which is harldy solved, there is already another XSS! I'm sure Steve will agree too. I vote for a GLSA since wordpress is rather common. The bug is probably already fixed in 2.1.1, which is in the tree. If it's present in 2.0.9 as well, then I have no problems with masking the whole package. (In reply to comment #3) > The bug is probably already fixed in 2.1.1, which is in the tree. If it's > present in 2.0.9 as well, then I have no problems with masking the whole > package. > This is what 2.1.1 and 2.0.9 were released to fix AFAIK. And is already noted on bug 163817 See http://bugs.gentoo.org/show_bug.cgi?id=163817#c4 (In reply to comment #4) > And is already noted on bug 163817 See > http://bugs.gentoo.org/show_bug.cgi?id=163817#c4 > we were wrong, that's not the same, sorry. Thank you for having pointed it out. I've just looked into the diff between 2.0.7 2.0.8, and 2.0.9 and the only change in templates.php is between 2.0.9 and 2.1. That's inconsistent with Secunia which says that 2.1 is affected and 2.1.1 is fixed. As for me, 2.0.9 is vulnerable and 2.1 is fixed, but i'm note sure. CVE-2007-0539 = SA23912 = bug 163817 = "pingback" information disclosure http://www.securityfocus.com/bid/22220 CVE-2007-1049 = SA24306 = bug 168449 = templates.php XSS http://www.securityfocus.com/bid/22534 and another one! bug #168529 ... mask? I can say with certainty that this is fixed in 2.1.2. *** This bug has been marked as a duplicate of bug 168529 *** |