Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 142142 - www-apps/wordpress - security version bump to 2.0.4 (CVE-2006-3389|3390)
Summary: www-apps/wordpress - security version bump to 2.0.4 (CVE-2006-3389|3390)
Status: VERIFIED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Other
: High normal (vote)
Assignee: Gentoo Security
URL: http://wordpress.org/development/2006...
Whiteboard: C1 [glsa] frilled
Keywords:
Depends on:
Blocks:
 
Reported: 2006-07-29 19:45 UTC by Aaron Kulbe (RETIRED)
Modified: 2006-08-11 06:58 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Aaron Kulbe (RETIRED) gentoo-dev 2006-07-29 19:45:52 UTC
Version 2.0.4 fixes some bugs.  Bump.
Comment 1 Aaron Kulbe (RETIRED) gentoo-dev 2006-07-29 19:49:05 UTC
Done.
Comment 2 Aaron Kulbe (RETIRED) gentoo-dev 2006-07-30 17:09:34 UTC
An ebuild name would help....


www-apps/wordpress

bumped from 2.0.3 to 2.0.4
Comment 3 Matthias Geerdsen (RETIRED) gentoo-dev 2006-07-31 05:38:54 UTC
taking over the bug since 2.0.4 fixes security issues

"WordPress 2.0.4, the latest stable release in our Duke series, is available for immediate download. This release contains several important security fixes, so it
Comment 4 Matthias Geerdsen (RETIRED) gentoo-dev 2006-07-31 05:38:54 UTC
taking over the bug since 2.0.4 fixes security issues

"WordPress 2.0.4, the latest stable release in our Duke series, is available for immediate download. This release contains several important security fixes, so its highly recommended for all users. Weve also rolled in a number of bug fixes (over 50!), so its a pretty solid release across the board."

arches, please test and mark wordpress-2.0.4 stable if possible
Comment 5 Wolf Giesen (RETIRED) gentoo-dev 2006-07-31 05:49:27 UTC
2.0.3 is affected by http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3390 and http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3389

Which sounds like B3/minor to me.
Comment 6 Matthias Geerdsen (RETIRED) gentoo-dev 2006-07-31 05:51:32 UTC
oh and there is this... "announcement"

http://unknowngenius.com/blog/archives/2006/07/26/critical-announcement-to-all-wordpress-users/
Comment 7 René Nussbaumer (RETIRED) gentoo-dev 2006-07-31 10:12:20 UTC
stable on hppa
Comment 8 Tobias Scherbaum (RETIRED) gentoo-dev 2006-07-31 11:00:57 UTC
ppc stable
Comment 9 Joshua Jackson (RETIRED) gentoo-dev 2006-07-31 20:11:32 UTC
x86 is gone ^.^
Comment 10 Wolf Giesen (RETIRED) gentoo-dev 2006-08-02 02:09:04 UTC
sparc, how's your happiness factor? :)
Comment 11 Gustavo Zacarias (RETIRED) gentoo-dev 2006-08-02 10:38:14 UTC
sparc stable.
Comment 12 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-08-03 01:05:14 UTC
see CVE 3389 & 3390 : i vote a full NO.
Comment 13 Harlan Lieberman-Berg (RETIRED) gentoo-dev 2006-08-03 01:08:55 UTC
I vote a big no.
Comment 14 Wolf Giesen (RETIRED) gentoo-dev 2006-08-03 01:18:19 UTC
NO
Comment 15 Sune Kloppenborg Jeppesen gentoo-dev 2006-08-03 01:25:24 UTC
Might also fix another issue, but I can't really find any information on it justifying a GLSA.

So I guess this is a NO as well.
Comment 16 Wolf Giesen (RETIRED) gentoo-dev 2006-08-03 02:10:07 UTC
http://unknowngenius.com/blog/archives/2006/07/27/followup-on-wordpress/ produces a lot of FUD, there's a follow-up that *might* make us want to reconsider:

http://www.4null4.de/174/wp-users-disable-guest-account-registration-immediately/

Comment 17 Sune Kloppenborg Jeppesen gentoo-dev 2006-08-03 02:15:35 UTC
@comment #15: Not really a lot of information there either. Maybe we should try mailing upstream?
Comment 18 Wolf Giesen (RETIRED) gentoo-dev 2006-08-03 02:22:46 UTC
I'll try but I doubt the usefulness .-)
Comment 19 Wolf Giesen (RETIRED) gentoo-dev 2006-08-03 02:29:59 UTC
Wordpress contacted.
Comment 20 Wolf Giesen (RETIRED) gentoo-dev 2006-08-03 23:53:50 UTC
Ok, I got an answer from WordPress; there is a problem in the core application not mentioned here yet that they wish not yet published. Details available from me. I personally think might want to issue a GLSA. After all, WP *is* in the official tree, so we can't really bail out on our own commitment.
Comment 21 Wolf Giesen (RETIRED) gentoo-dev 2006-08-07 04:44:28 UTC
Pinging SecTeam again
Comment 22 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-08-07 05:27:15 UTC
(In reply to comment #20)
> Pinging SecTeam again
> 

i vote no glsa

Comment 23 Wolf Giesen (RETIRED) gentoo-dev 2006-08-07 05:27:52 UTC
I change to YES.
Comment 24 Matthias Geerdsen (RETIRED) gentoo-dev 2006-08-07 05:59:28 UTC
/me tends to vote yes
Comment 25 Sune Kloppenborg Jeppesen gentoo-dev 2006-08-07 09:38:21 UTC
Ok, lets have a GLSA with no details :-)
Comment 26 Stefan Cornelius (RETIRED) gentoo-dev 2006-08-07 09:39:27 UTC
I dont get this. I probably misunderstand the whole thing... So what we have is: the 2 CVEs. One absolutely minor, and one disputed and minor -> no glsa.

Then we have some FUD coming from blogs. Uh yeah, blogs ...no real info there,too. I wont issue a GLSA, saying "XY said on his blog that one might be able to conduct $evilthings" -> no glsa.

Then we have that other unknown problem. Is that fixed in 2.0.4? Is this related to 3rd party plugins? If a users installs 3rd party plugs, then it's his own problem. -> no glsa.
Comment 27 Wolf Giesen (RETIRED) gentoo-dev 2006-08-07 09:55:20 UTC
Frankly I don't give a damn. If you ask me, mask the app. My point still stands that the bug is in the core. Installing plugins is your own risk, the core not handling plugins correctly is not. Just close if you see fit.
Comment 28 Sune Kloppenborg Jeppesen gentoo-dev 2006-08-07 12:39:26 UTC
@comment #25: the so called FUD and unknown problem appears to be one and the same thing.

@comment #26: User roles and capabilities are clearly described by upstream: http://codex.wordpress.org/Roles_and_Capabilities

If my understanding of the issue is correct I'd rerate as C1.
Comment 29 Wolf Giesen (RETIRED) gentoo-dev 2006-08-07 12:49:40 UTC
Thanks and excuse my outburst .-)
Comment 30 Wolf Giesen (RETIRED) gentoo-dev 2006-08-08 05:13:10 UTC
Rerating to C1 after discussion, even if it's only to be on the safe side. Ready for GLSA, then.
Comment 31 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-08-10 14:04:21 UTC
GLSA 200608-19

thanks to all
Comment 32 Wolf Giesen (RETIRED) gentoo-dev 2006-08-11 06:58:02 UTC
Thanks, and fight the FUD :P