From the URL: "Fixes issues in the XML-RPC remote publishing interface which under certain circumstances allowed Author- and Contributor-level users to improperly edit, publish or delete posts. (r16803)" As it's fixed in 3.0.3, I would suggest a fast-track stabilisation process and the subsequent removal of both 3.0.1 and 3.0.2.
the wordpress 3.0.3 is in tree already. As blogs.g.o is using it, we try to bump it immediatelly. There is no stable version of wordpress though, and I don't think there is any reason to stabilize it.
OK. Maybe just drop 3.0.1 and 3.0.2 then? I'm not sure how many out there actually use the XML-RPC interface but it seems nasty enough to take that extra step to ensure that no-one (unwittingly) uses a vulnerable version.
Also, if you're looking for a quick production fix for blogs.gentoo.org, here's the diff: http://core.trac.wordpress.org/changeset/16803?format=diff&new=16803
I was aware of those diffs, they are included in the announcement pages, but thanks anyway. wordpress 3.0.{1,2} removed from tree
Thanks, folks. Closing noglsa.
CVE-2010-5106 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-5106): The XML-RPC remote publishing interface in xmlrpc.php in WordPress before 3.0.3 does not properly check capabilities, which allows remote authenticated users to bypass intended access restrictions, and publish, edit, or delete posts, by leveraging the Author or Contributor role.
