Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 362587

Summary: <www-apps/wordpress-3.1.1: CSRF, XSS, DoS
Product: Gentoo Security Reporter: Hanno Böck <hanno>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: planet, web-apps
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: ~3 [noglsa]
Package list:
Runtime testing required: ---

Description Hanno Böck gentoo-dev 2011-04-08 12:29:59 UTC 
Upstream release notes for 3.1.1 mention three security flaws:
http://wordpress.org/news/2011/04/wordpress-3-1-1/
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2011-04-08 13:49:45 UTC 
From that URL:

> Version 3.1.1 also addresses three security issues discovered by
> WordPress core developers Jon Cave and Peter Westwood, of our
> security team. The first hardens CSRF prevention in the media
> uploader. The second avoids a PHP crash in certain environments when
> handling devilishly devised links in comments, and the third
> addresses an XSS flaw.
Comment 2 Theo Chatzimichos (RETIRED) archtester gentoo-dev Security 2011-05-22 09:44:25 UTC 
3.1.1 and 3.1.2 are in tree quite some time now. Do you want us to remove the old ones?
Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2011-05-22 21:23:15 UTC 
Yes, please. I'm running some wordpress installations myself, and do not see any reason to keep anything but the newest version.
Comment 4 Tim Harder gentoo-dev 2011-05-23 02:07:02 UTC 
(In reply to comment #3)
> Yes, please. I'm running some wordpress installations myself, and do not see
> any reason to keep anything but the newest version.

Done. Only 3.1.2 is now in CVS.
Comment 5 Tim Sammut (RETIRED) gentoo-dev 2011-05-23 02:30:39 UTC 
Thanks, everyone. Closing NOGLSA since this is ~arch only.