Summary: | <www-apps/wordpress-3.8.2: multiple vulnerabilities (CVE-2014-{0165,0166}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Laurent Bachelier <laurent> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | djc, web-apps |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | All | ||
URL: | http://wordpress.org/news/2014/04/wordpress-3-8-2/ | ||
Whiteboard: | ~4 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Laurent Bachelier
2014-04-08 20:03:16 UTC
I think the two CVEs assigned are CVE-2014-0165 and CVE-2014-0166: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=744018 http://codex.wordpress.org/Version_3.8.2 *** Bug 507250 has been marked as a duplicate of this bug. *** Minor update/fix: http://wordpress.org/news/2014/04/wordpress-3-8-3/ 3.8.3 in three and 3.7 was never included. Package not stable: closing noglsa CVE-2014-0166 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0166): The wp_validate_auth_cookie function in wp-includes/pluggable.php in WordPress before 3.7.2 and 3.8.x before 3.8.2 does not properly determine the validity of authentication cookies, which makes it easier for remote attackers to obtain access via a forged cookie. CVE-2014-0165 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0165): WordPress before 3.7.2 and 3.8.x before 3.8.2 allows remote authenticated users to publish posts by leveraging the Contributor role, related to wp-admin/includes/post.php and wp-admin/includes/class-wp-posts-list-table.php. |