Summary: | <www-apps/wordpress-4.2.3: two cross-site scripting (CVE-2015-{5622,5623}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | trivial | CC: | leho, web-apps |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1219368 | ||
Whiteboard: | ~4 [noglsa cve] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2015-05-07 09:22:19 UTC
In light of https://wordpress.org/news/2015/07/wordpress-4-2-3/, 4.2.2 also has XSS vulnerabilities and should be immediately dropped in favor of 4.2.3. 02:33 < gentoovcs> jmbsvicetto → gentoo-x86 (www-apps/wordpress/) Bump wordpress to release 4.2.3 - fixes bug 548828. Security bump to address CVE-2015-5622 and CVE-2015-5623. Ebuild added to the tree. + 25 Jul 2015; Sebastian Pipping <sping@gentoo.org> -wordpress-3.8.5.ebuild, + -wordpress-3.9.3.ebuild, -wordpress-4.0.1.ebuild, -wordpress-4.1.ebuild, + -wordpress-4.1.1.ebuild, -wordpress-4.1.2-r2.ebuild, -wordpress-4.2.ebuild, + -wordpress-4.2.1.ebuild, -wordpress-4.2.2.ebuild: + Remove vulnerable releases (bug #548828 but not only) + Maintainer(s), Thank you for you for your work. No stable versions, closing as noglsa. Actually, removing all older versions was overshooting it a bit. WP is supported at upstream 4 releases back. So currently 3.8-branch still receives all upgrades and would be valid for living in our precious tree as well. Now the amount of work associated with this is another matter. I'm mainly looking to clarify here whether the package maintainer knows about the upstream policy or not. |