Description: kartoffelguru has discovered a vulnerability in WordPress, which can be exploited by malicious people to compromise a vulnerable system. Input passed to the "cache_lastpostdate" parameter via cookies is not properly sanitised before being used. This can be exploited to inject arbitrary PHP script code. Successful exploitation requires that "register_globals" is enabled. The vulnerability has been confirmed in version 1.5.1.3. Other versions may also be affected.
I'm aware of this. I don't since if this merits being put into package.mask yet, since register_globals is off by default in Gentoo's implementation of PHP. Upstream is aware of this and 1.5.2 is due in the next couple days, with patches.
The joys of typing when you're dead tired... this post was *supposed* to say the following: I'm aware of this. I don't know if this merits being put into package.mask yet, since register_globals is off by default in Gentoo's implementation of PHP. Upstream is aware of this and 1.5.2 is due in the next couple days, with patches.
Bumped to version 1.5.2 - which fixes this issue. Just committed, should be on the mirrors shortly.
Thx Aaron. This one is ready for GLSA decision, I tend to vote NO.
i tend to a no, too.
Sorry guys. Got trigger happy on the commit and didn't keyword ~ properly. Fixed and recommitted.
Stable on ppc.
Stable on SPARC.
sorry for the delay... x86 there
Ready for GLSA vote, 1/2 no from me.
Add my full NO to this. register_globals is evil. Closing.