540256 – (CVE-2014-6412) <www-apps/wordpress-4.4: lack of CSPRNG might lead to information disclosure

Bug 540256 (CVE-2014-6412) - <www-apps/wordpress-4.4: lack of CSPRNG might lead to information disclosure

Summary: <www-apps/wordpress-4.4: lack of CSPRNG might lead to information disclosure

Status:	RESOLVED FIXED

Alias:	CVE-2014-6412

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial (vote)
Assignee:	Gentoo Security

URL:	https://bugzilla.redhat.com/show_bug....
Whiteboard:	~4 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2015-02-16 08:03 UTC by Agostino Sarubbo
Modified:	2016-11-23 13:51 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2015-02-16 08:03:05 UTC

From ${URL} :

It was reported [1] that all versions of WordPress are using weak random number generation 
algorithm, which makes it possible to predict the password reset token for admin user.
Non-upstream patch is available here:
https://core.trac.wordpress.org/attachment/ticket/28633/28633.3.patch

[1]: http://seclists.org/fulldisclosure/2015/Feb/42


@maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.

Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev

2016-11-22 23:56:48 UTC

Upstream implemented a real CSPRNG in v4.4 which landed in Gentoo repository via https://gitweb.gentoo.org/repo/gentoo.git/commit/www-apps/wordpress?id=ec13cc7f87541d157420ef03a44a203ce400f4ec