Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via infra@gentoo.org or IRC
Bug 607364 (CVE-2017-5610, CVE-2017-5611, CVE-2017-5612) - <www-apps/wordpress-4.7.2: Multiple security vulnerabilities (CVE-2017-{5610,5611,5612})
Summary: <www-apps/wordpress-4.7.2: Multiple security vulnerabilities (CVE-2017-{5610,...
Status: RESOLVED FIXED
Alias: CVE-2017-5610, CVE-2017-5611, CVE-2017-5612
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://wordpress.org/news/2017/01/wo...
Whiteboard: ~3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-01-27 06:22 UTC by Francis Booth
Modified: 2017-02-01 02:24 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Francis Booth 2017-01-27 06:22:05 UTC
From URL:

WordPress versions 4.7.1 and earlier are affected by three security issues:

The user interface for assigning taxonomy terms in Press This is shown to users who do not have permissions to use it. Reported by David Herrera of Alley Interactive.

WP_Query is vulnerable to a SQL injection (SQLi) when passing unsafe data. WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability. Reported by Mo Jangda (batmoo).

A cross-site scripting (XSS) vulnerability was discovered in the posts list table. Reported by Ian Dunn of the WordPress Security Team.


~ eleix (Security Padawan)



Reproducible: Didn't try
Comment 1 Francis Booth 2017-01-27 06:47:25 UTC
Maintainer(s), please drop the vulnerable version(s)

non-stable package, security please close with noglsa.
Comment 2 Yury German Gentoo Infrastructure gentoo-dev Security 2017-01-27 08:20:13 UTC
CVE Assignment Request: http://seclists.org/oss-sec/2017/q1/207
Comment 3 Thomas Deutschmann gentoo-dev Security 2017-01-27 10:29:41 UTC
Fixed version not yet in repository.