Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via infra@gentoo.org or IRC
Bug 618704 (CVE-2017-8295) - <www-apps/wordpress-4.7.5: Multiple Vulnerablities (CVE-2017-8295)
Summary: <www-apps/wordpress-4.7.5: Multiple Vulnerablities (CVE-2017-8295)
Status: RESOLVED FIXED
Alias: CVE-2017-8295
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://wordpress.org/news/2017/05/wo...
Whiteboard: ~3 [noglsa/cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-05-17 00:42 UTC by Yury German
Modified: 2017-05-18 05:41 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Yury German Gentoo Infrastructure gentoo-dev Security 2017-05-17 00:42:03 UTC
WordPress versions 4.7.4 and earlier are affected by six security issues:

Insufficient redirect validation in the HTTP class. Reported by Ronni Skansing.
Improper handling of post meta data values in the XML-RPC API. Reported by Sam Thomas.
Lack of capability checks for post meta data in the XML-RPC API. Reported by Ben Bidner of the WordPress Security Team.
A Cross Site Request Forgery (CRSF)  vulnerability was discovered in the filesystem credentials dialog. Reported by Yorick Koster.
A cross-site scripting (XSS) vulnerability was discovered when attempting to upload very large files. Reported by Ronni Skansing.
A cross-site scripting (XSS) vulnerability was discovered related to the Customizer. Reported by Weston Ruter of the WordPress Security Team.
Comment 1 Yury German Gentoo Infrastructure gentoo-dev Security 2017-05-17 00:43:39 UTC
Please upgrade to www-apps/wordpress-4.7.5
Comment 2 Sebastian Pipping gentoo-dev 2017-05-17 13:22:26 UTC
Please feel free to further adjust the new bug title!

@security, is there anything more to do than a bump?


commit 54e7ccf5b916874d931ffe10d36e4061e42a0ef2
Author: Sebastian Pipping <sping@g.o>
Date:   Wed May 17 15:18:42 2017 +0200

    www-apps/wordpress: 4.7.5
    
    Package-Manager: Portage-2.3.5, Repoman-2.3.2

 www-apps/wordpress/Manifest                                           | 2 +-
 www-apps/wordpress/{wordpress-4.7.4.ebuild => wordpress-4.7.5.ebuild} | 0
 2 files changed, 1 insertion(+), 1 deletion(-)

https://github.com/gentoo/gentoo/commit/54e7ccf5b916874d931ffe10d36e4061e42a0ef2
Comment 3 Yury German Gentoo Infrastructure gentoo-dev Security 2017-05-18 05:41:24 UTC
That is all that needs to be done for non-stable packages. Thank you!