Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 362587 - <www-apps/wordpress-3.1.1: CSRF, XSS, DoS
Summary: <www-apps/wordpress-3.1.1: CSRF, XSS, DoS
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial
Assignee: Gentoo Security
URL:
Whiteboard: ~3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-04-08 12:29 UTC by Hanno Böck
Modified: 2011-05-23 02:30 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2011-04-08 12:29:59 UTC 
Upstream release notes for 3.1.1 mention three security flaws:
http://wordpress.org/news/2011/04/wordpress-3-1-1/
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2011-04-08 13:49:45 UTC 
From that URL:

> Version 3.1.1 also addresses three security issues discovered by
> WordPress core developers Jon Cave and Peter Westwood, of our
> security team. The first hardens CSRF prevention in the media
> uploader. The second avoids a PHP crash in certain environments when
> handling devilishly devised links in comments, and the third
> addresses an XSS flaw.
Comment 2 Theo Chatzimichos (RETIRED) archtester gentoo-dev Security 2011-05-22 09:44:25 UTC 
3.1.1 and 3.1.2 are in tree quite some time now. Do you want us to remove the old ones?
Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2011-05-22 21:23:15 UTC 
Yes, please. I'm running some wordpress installations myself, and do not see any reason to keep anything but the newest version.
Comment 4 Tim Harder gentoo-dev 2011-05-23 02:07:02 UTC 
(In reply to comment #3)
> Yes, please. I'm running some wordpress installations myself, and do not see
> any reason to keep anything but the newest version.

Done. Only 3.1.2 is now in CVS.
Comment 5 Tim Sammut (RETIRED) gentoo-dev 2011-05-23 02:30:39 UTC 
Thanks, everyone. Closing NOGLSA since this is ~arch only.