Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 237406 (CVE-2008-4106)

Summary: www-apps/wordpress < 2.6.2: MySQL table truncation (CVE-2008-4106)
Product: Gentoo Security Reporter: Hanno Böck <hanno>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: enhancement CC: gentoo_bugs_2_peep
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://wordpress.org/development/2008/09/wordpress-262/
Whiteboard: ~3 [noglsa]
Package list:
Runtime testing required: ---

Description Hanno Böck gentoo-dev 2008-09-11 17:27:00 UTC 
I know wordpress is not security supportet atm, but anyway I think we should bump it. 2.6.1 also had some security fixes afair and is not yet in the tree.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-09-19 15:28:20 UTC 
CVE-2008-4106 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4106):
  WordPress before 2.6.2 does not properly handle MySQL warnings about
  insertion of username strings that exceed the maximum column width of
  the user_login column, and does not properly handle space characters
  when comparing usernames, which allows remote attackers to change an
  arbitrary user's password to a random value by registering a similar
  username and then requesting a password reset, related to a "SQL
  column truncation vulnerability." NOTE: the attacker can discover the
  random password by also exploiting CVE-2008-4107.
Comment 2 Gunnar Wrobel (RETIRED) gentoo-dev 2008-09-21 13:28:09 UTC 
Removed wordpress-2.5.1, -2.6, added 2.6.2. Security masked anyway. Webapps done.