| Summary: | <www-apps/wordpress-4.7.1: Remote code execution through embedded dev-php/PHPMailer (CVE-2016-10033) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Thomas Deutschmann (RETIRED) <whissi> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | trivial | CC: | chris, web-apps |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://core.trac.wordpress.org/ticket/37210 | ||
| Whiteboard: | ~2 [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | |||
| Bug Blocks: | 603752 | ||
|
Description
Thomas Deutschmann (RETIRED)
2016-12-26 13:18:54 UTC
I've bumped wordpress to the latest version 4.7 which is not vulnerable. No, vanilla WordPress v4.7 is vulnerable. It ships the vulnerable PHPMailer class (just renamed). Upstream already merged the patched version, see $URL, but changes not released yet. (In reply to Thomas Deutschmann from comment #2) > No, vanilla WordPress v4.7 is vulnerable. It ships the vulnerable PHPMailer > class (just renamed). Upstream already merged the patched version, see $URL, > but changes not released yet. Thanks for the clarification. Bump to 4.7.1 with a fix. commit 67671baada119a8d4b6491afd9bfffe8c397f0c2 Author: Sebastian Pipping <sping@g.o> Date: Wed Jan 11 21:18:00 2017 +0100 www-apps/wordpress: 4.7.1 (bug #603754) Package-Manager: Portage-2.3.3, Repoman-2.3.1 www-apps/wordpress/Manifest | 1 + www-apps/wordpress/wordpress-4.7.1.ebuild | 56 +++++++++++++++++++++++++++++++ 2 files changed, 57 insertions(+) https://github.com/gentoo/gentoo/commit/67671baada119a8d4b6491afd9bfffe8c397f0c2 @ Maintainer(s): Thank you for the bump. Cleanup will happen as part of bug 605408. |