Bug 168529 - www-apps/wordpress security status
|
Bug#:
168529
|
Product: Gentoo Security
|
Version: unspecified
|
Platform: All
|
|
OS/Version: Linux
|
Status: RESOLVED
|
Severity: enhancement
|
Priority: P2
|
|
Resolution: FIXED
|
Assigned To: security@gentoo.org
|
Reported By: keith@email.arizona.edu
|
|
Component: Vulnerabilities
|
|
|
URL:
http://www.securityfocus.com/archive/1/461351
|
|
Summary: www-apps/wordpress security status
|
|
Keywords:
|
|
Status Whiteboard: B4 [maskglsa]
|
|
Opened: 2007-02-27 07:02 0000
|
the ~arched tree is still vulnerable, please mask the vulnerable ebuild or
~keyword 2.1.1. (Or, both)
Should we issue a GLSA?
Personnally i tend to think we should issue a GLSA warning our users that
wordpress is no longer security-supported (either it's put in p.mask or in
~arch)
i'm pro-mask. i simply can't recommend anyone to use this app - if users want
it, then they still can unmask...
(In reply to comment #3)
> Bad days for wordpress. Now, and exploit that was added by a cracker.
> http://wordpress.org/development/2007/03/upgrade-212/
> Does this affect gentoo?
We've already noticed. Pretty much hard to say, noone upstream bothered to
provide the hashes of 'geniune' vs. 'cracked' files. This thing needs to be
completely masked and possible just removed from portage; upstream can't be
much more lame than this. :X
just found this by coincidence...
# Stefan Cornelius <dercorny@gentoo.org> (3 Mar 2007)
# Masking wordpress due to a long list of security bugs
# e.g. check bug #168529
www-apps/wordpress
since it seems to be masked now... do we want a mask glsa?
Does this really need to be hard-masked? A major XSS vunerability (at least the
other one reported in bug #168449) is reportedly fixed now in 2.1.2. Also only
the 2.1.1 package was tampered with and even that was only vulnerable from
between 2007-02-25 and 2007-03-02. Version 2.1.2 has replaced 2.1.1 due to the
tampering.
Also, I'm sure Wordpress could provide some digests of their "genuine" archive
files if asked to guard from future tampering.
At the least maybe arch-mask this across the board instead of hard-mask it
since the security issues are *well* documented in other locations as well.
It should be noted that this vulnerability was filed within the date range that
the tampered 2.1.1 file was available (2007-2-25 to 2007-3-2).
If this is still the case in 2.1.2, then that's fine. Otherwise this shouldn't
be grounds for masking 2.1.2 as well.
Technically you could probably just outright remove 2.1.1 from the portage tree
since it no longer exists as far as a version you can download from the
wordpress.org site.
As far as 2.1.2 I still think arch mask is more fitting from a user's
perspective. Hard mask to me implies either a development version or outright
"unstable" behavior. For example, Joe user tries to use a common feature in an
everyday kind of way (i.e. not injecting various SQL statements in odd places)
and the software breaks something or outright crashes. This seems to be
reinforced by the Gentoo Development Guide
(http://devmanual.gentoo.org/keywording/):
"The package.mask file can be used to 'hard mask' individual or groups of
ebuilds. This should be used for testing ebuilds or beta releases of software,
and may also be used if a package has serious compatibility problems. Packages
which are not hard masked must not have a dependency upon hard masked packages.
The only time it is acceptable for a user to see the Possibly a DEPEND problem
error message is if they have manually changed visibility levels for a package
(for example, through /etc/portage/) and have missed a dependency. You should
never commit a change which could cause this error to appear on a user system."
... This is not so much "unstable" as it is "security flawed" and finding such
flaws is more indicative of simple arch mask ... not a hard mask as the
Development Guide would seem to dictate.
Either way a GLSA is a good step, I have no issue there. My only issue is with
the level of masking on the 2.1.2 version.
Oops. 2.1.1 is already removed. You can disregard that part of my post.
(In reply to comment #6)
> Does this really need to be hard-masked? A major XSS vunerability (at least the
> other one reported in bug #168449) is reportedly fixed now in 2.1.2. Also only
> the 2.1.1 package was tampered with and even that was only vulnerable from
> between 2007-02-25 and 2007-03-02. Version 2.1.2 has replaced 2.1.1 due to the
> tampering.
>
i really don't know why does all that people discovered so many vulnerabilities
in wordpress during those last few weeks, see:
http://secunia.com/search/?search=wordpress
and
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=wordpress
That's impressive.
Wordpress definitely can't be considered as a stable package (arched) nor as a
for-stable-testing package (~arched)
*** Bug 168449 has been marked as a duplicate of this bug. ***
(In reply to comment #11)
> (In reply to comment #6)
> > Does this really need to be hard-masked? A major XSS vunerability (at least the
> > other one reported in bug #168449) is reportedly fixed now in 2.1.2. Also only
> > the 2.1.1 package was tampered with and even that was only vulnerable from
> > between 2007-02-25 and 2007-03-02. Version 2.1.2 has replaced 2.1.1 due to the
> > tampering.
> >
>
>
> i really don't know why does all that people discovered so many vulnerabilities
> in wordpress during those last few weeks, see:
> http://secunia.com/search/?search=wordpress
> and
> http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=wordpress
> That's impressive.
>
> Wordpress definitely can't be considered as a stable package (arched) nor as a
> for-stable-testing package (~arched)
>
You can't just look at the number of results just by searching "wordpress", say
"Wow, that's a lot. This product must be really unstable", and leave it at
that. Many of the vulnerabilities listed are for *much older versions* (i.e.
previous to even 2.0). In at least one case on cve.mitre.org, there was a
vulnerability that didn't have anything to do with Wordpress itself and yet it
showed up in the search because it's just a simple partial text search (for
example: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0574 ). Two of
the CVE vulnerabilities cite the same sources and are really two symptoms of
the same vulnerability (
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0540 and
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0541 ) and even those
are more a problem with the 3rd party pingback function that wordpresss uses
rather than wordpress itself (they had a couple issues with their
implementation of it on top of the vulnerability but that has been fixed since
version 2.1).
After looking though any listings that remotely appeared to possibly affect the
current version (I think 2.0.9 could probably be dumped from the portage tree
at this point) I've come cut the list down to 3 "internal" vulnerabilities and
one "external" vulnerability (i.e. the previously mentioned "pingback"
vunerability URLs) and even some of the internal vulnerabilities can be
corrected by blocking the direct access of certain files through .htaccess.
URLs for "current" vulnerabilities:
http://secunia.com/advisories/24316/
http://secunia.com/advisories/24430/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1409
There was also one other "unfixed" vulnerability listed, but it's a pretty
trivial one that's only valid for manual brute-force type attacks. It concerns
differing error messages for bad user names and bad passwords. It may have been
fixed by now (it was reported on version 2.0.5)
URL: http://secunia.com/advisories/23621/
too long for my tired eyes, sorry. Perhaps the maintainer will choose to put
back it into ~arch lated, we'll see.
(In reply to comment #14)
> too long for my tired eyes, sorry. Perhaps the maintainer will choose to put
> back it into ~arch lated, we'll see.
>
Can we please close the security bugs now that it's hard masked?
I'm not going to kill the 2.0.x branch since upstream is backporting security
patches to it.
And I'm not going to unmask it anytime soon since 2.0.5 through 2.0.9 were all
security bugfix releases coming out on average two weeks apart each.
The hard mask is:
www-apps/wordpress
it seems to me that it should have been
<www-apps/wordpress-2.1.2
Wordpress is, in general, a good product with an extremely active user
community and good upstream maintenance. Additionally, the security problem
with 2.1.1 wasn't with Wordpress itself, but the site from which wordpress is
distributed. Wordpress is certainly not "unstable".
Hard masking all of Wordpress does not seem like a response measured against
the actual risk. Please consider changing the mask as above.
Thank you.
GLSA 200703-23
Moving to enhancement pending resolution.
Steve please comment here if you unmask or remove future versions.
http://wordpress.org/development/2007/04/wordpress-213-and-2010/
Wordpress 2.1.3 and 2.0.10
We have a security update release now available for both the 2.1 and 2.0
branches of WordPress now available for immediate download. This update is
highly recommend for all users of both branches.
----------
Lof of people is using wordpress. We should at least update de ebuild although
it is being marked as masked.
web-apps what do you say?
For people that don't want to/can't wait much longer, copying the ebuild for
2.1.2 in an overlay and renaming it to wordpress-2.1.3.ebuild works just fine.
(In reply to comment #21)
> New ebuilds in CVS
Does this mean it's going to be unmasked?
(In reply to comment #22)
> (In reply to comment #21)
> > New ebuilds in CVS
>
> Does this mean it's going to be unmasked?
>
No.
Can we close the bug?
(In reply to comment #23)
> (In reply to comment #22)
> > (In reply to comment #21)
> > > New ebuilds in CVS
> >
> > Does this mean it's going to be unmasked?
> >
>
> No.
>
> Can we close the bug?
>
If you're wanting to close the bug, then why not unmask it??? I mean what's the
sense of keeping it masked if 2.1.3 and 2.0.10 are supposed to fix all the XSS
issues?
(In reply to comment #24)
> (In reply to comment #23)
> > (In reply to comment #22)
> > > (In reply to comment #21)
> > > > New ebuilds in CVS
> > >
> > > Does this mean it's going to be unmasked?
> > >
> >
> > No.
> >
> > Can we close the bug?
> >
>
> If you're wanting to close the bug, then why not unmask it??? I mean what's the
> sense of keeping it masked if 2.1.3 and 2.0.10 are supposed to fix all the XSS
> issues?
>
Sorry, I like wordpress as much as the next guy, but it has had a poor security
track recently, which led us to p.mask it in the first place.
If things improve in the future, we'll look at it again, but now's not the
time.
(In reply to comment #25)
> (In reply to comment #24)
> > (In reply to comment #23)
> > > (In reply to comment #22)
> > > > (In reply to comment #21)
> > > > > New ebuilds in CVS
> > > >
> > > > Does this mean it's going to be unmasked?
> > > >
> > >
> > > No.
> > >
> > > Can we close the bug?
> > >
> >
> > If you're wanting to close the bug, then why not unmask it??? I mean what's the
> > sense of keeping it masked if 2.1.3 and 2.0.10 are supposed to fix all the XSS
> > issues?
> >
>
> Sorry, I like wordpress as much as the next guy, but it has had a poor security
> track recently, which led us to p.mask it in the first place.
>
> If things improve in the future, we'll look at it again, but now's not the
> time.
>
I guess it make some sense when you put it that way. As long as there's fair
chance for the software to "redeem" itself, then I guess there's not as much of
a problem. I'll just have to keep my "www-apps/wordpress" entry in
package.unmask for a little while longer :-). I'm just hoping the hard mask
doesn't "scare off" some people as much as ... say ... an alpha release of most
any Microsoft product ( or beta ... or perhaps even "stable" depending on your
point of view )
I know this just creates what I'm actually asking to stop... Can we have this
be a bug, and not a forum? Thank you :)
(In reply to comment #28)
> Two weeks ago WordPress released a major security update in 2.2.1. Any chance
> of changing the hard/whole package mask to a "<www-apps/wordpress-2.2.1" mask?
>
> See: http://wordpress.org/support/topic/122939
>
As long as every little new Wordpress release contains security-relevant fixes
I'd say: no.
Can this bug be closed? If not and it should be kept open as a reference that
removal of the hard mask of wordpress might be just temporary then I suggest to
modify the topic so that this becomes clear.
This bug should stay open until the mask is removed and we'd likely need to
issue a new GLSA at that point.
wrobel feel free to change the title if you have one that suits better, I need
more coffee here:)
(In reply to comment #35)
> This bug should stay open until the mask is removed and we'd likely need to
> issue a new GLSA at that point.
>
> wrobel feel free to change the title if you have one that suits better, I need
> more coffee here:)
The p.mask is removed for >=2.3, but those are not stable.
Hmmm I guess we'll have to wait until it is stable again (if ever).
In the light of #208980 and the fact that this app had a number of sec issues
during the months it has been unmasked the question has come up whether we
completely move this app into the webapp-experimental overlay.
I don't mind bumping wordpress once in a while but I also don't feel it is too
good if we tell our users that this is a usable app.
How does security feel about wordpress?
(In reply to comment #38)
> In the light of #208980 and the fact that this app had a number of sec issues
> during the months it has been unmasked the question has come up whether we
> completely move this app into the webapp-experimental overlay.
>
> I don't mind bumping wordpress once in a while but I also don't feel it is too
> good if we tell our users that this is a usable app.
>
> How does security feel about wordpress?
>
Like you said, new worpress vulns pop up every month, so IMO it should stay
p.masked. The webapp-experimental sounds like a plan.
I don't think it needs to move to an experimental overlay, if it is p.masked.
Okay, hard mask applied again.
*** Bug 219912 has been marked as a duplicate of this bug. ***
Is there any other open vulnerabilities?
If not, shall we unmask it?
Thanks!
2.6 has been released, whats the status of that one?
Added wordpress-2.6. Let's see how this one fares during the next months but I
don't really expect less sec bugs.
2.6.1 is out, would love to see it added to the tree.
2.6.2 is out, fixing a SQL column trunctation issue that allows for user
password reset.
Another one: CVE-2008-5278
Luckily, we've only got 2.6.5 in tree.
How about Wordpress 2.7? Hopefully it will have a better security record :D.
Probably wordpress improved these days and upstream is working on bugs. What
about unmasking it? I'm going to do this if nobody objects.
Also CVE-2008-5695.
I'm against stabilizing it, as wordpress has as too long security record for my
taste. If there are no bugs for three months I might change my mind, though.
(In reply to comment #54)
> Also CVE-2008-5695.
> I'm against stabilizing it, as wordpress has as too long security record for my
> taste. If there are no bugs for three months I might change my mind, though.
>
There's a difference between unmasking it (like Peter suggested) and
stabilizing Wordpress.
3 _months_ for a php app? Not going to happen :). I agree that it should be
unmasked. There is probably no reason to stabilize a package like this because
changes will be so frequent, however, unless the policy were to be different
(i.e. minor releases pushed stable immediately).
FWIW in recent times it has been no worse than Drupal or Mediawiki.
Uuuh, why did I read stabilize there?
Unmasking might be ok, but I'm against stabling.
(In reply to comment #57)
> Uuuh, why did I read stabilize there?
> Unmasking might be ok, but I'm against stabling.
>
I agree.
unmasked. Let's close this bug, noglsa since wordpress is now unstable package.
ok, closing since it's now unmasked. We'll open new bugs as new issues pop up.
