Debian Bug report logs - #464170
wordpress: security flaw in xml-rpc implementation

version graph

Package: wordpress; Maintainer for wordpress is Craig Small <csmall@debian.org>; Source for wordpress is src:wordpress.

Reported by: Nico Golde <nion@debian.org>

Date: Tue, 5 Feb 2008 16:09:01 UTC

Severity: grave

Tags: patch, security

Fixed in version wordpress/2.3.3-1

Done: Kai Hendry <hendry@iki.fi>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Kai Hendry <hendry@iki.fi>:
Bug#464170; Package wordpress. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to Kai Hendry <hendry@iki.fi>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: submit@bugs.debian.org
Subject: wordpress: security flaw in xml-rpc implementation
Date: Tue, 5 Feb 2008 17:08:24 +0100
[Message part 1 (text/plain, inline)]
Source: wordpress
Severity: grave
Tags: security patch

Hi Kai,
A security issue in wordpress' xml-rpc implementation was 
found[0]:
| WordPress 2.3.3 is an urgent security release. A flaw was 
| found in our XML-RPC implementation such that a specially 
| crafted request would allow any valid user to edit posts of 
| any other user on that blog.

Looking at the latest changes on xml-rpc the following 
changesets seem to be relevant:
http://trac.wordpress.org/changeset/6709
http://trac.wordpress.org/changeset/6714

Upstream ticket:
http://trac.wordpress.org/ticket/5313

A CVE id is currently pending for this.

For further information:
[0] http://wordpress.org/development/2008/02/wordpress-233/

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Reply sent to Kai Hendry <hendry@iki.fi>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #10 received at 464170-close@bugs.debian.org (full text, mbox):

From: Kai Hendry <hendry@iki.fi>
To: 464170-close@bugs.debian.org
Subject: Bug#464170: fixed in wordpress 2.3.3-1
Date: Tue, 05 Feb 2008 17:02:31 +0000
Source: wordpress
Source-Version: 2.3.3-1

We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive:

wordpress_2.3.3-1.diff.gz
  to pool/main/w/wordpress/wordpress_2.3.3-1.diff.gz
wordpress_2.3.3-1.dsc
  to pool/main/w/wordpress/wordpress_2.3.3-1.dsc
wordpress_2.3.3-1_all.deb
  to pool/main/w/wordpress/wordpress_2.3.3-1_all.deb
wordpress_2.3.3.orig.tar.gz
  to pool/main/w/wordpress/wordpress_2.3.3.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 464170@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Kai Hendry <hendry@iki.fi> (supplier of updated wordpress package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 05 Feb 2008 16:22:57 +0000
Source: wordpress
Binary: wordpress
Architecture: source all
Version: 2.3.3-1
Distribution: unstable
Urgency: high
Maintainer: Kai Hendry <hendry@iki.fi>
Changed-By: Kai Hendry <hendry@iki.fi>
Description: 
 wordpress  - weblog manager
Closes: 464170
Changes: 
 wordpress (2.3.3-1) unstable; urgency=high
 .
   * New upstream security release
   * http://wordpress.org/development/2008/02/wordpress-233/
   * Fix for security flaw in XML-RPC implementation (Closes: #464170) and
     http://trac.wordpress.org/ticket/5313
Files: 
 426d51b79675cfc2928a3f1c08607d63 650 web optional wordpress_2.3.3-1.dsc
 19518de1117aa68f0c3de84b6858efc3 884898 web optional wordpress_2.3.3.orig.tar.gz
 785942170e1b93d5398b013695e02329 10675 web optional wordpress_2.3.3-1.diff.gz
 59d2a9ac4d3d451cfb6b3bc382c39cf1 873074 web optional wordpress_2.3.3-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHqJL5HYflSXNkfP8RAhVpAJ0bsis9MYEmkWCJiIYSL5pVcszLDQCeLBQx
vOynt/f8RhRr8Lr5d+Y0tKw=
=XMLN
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Kai Hendry <hendry@iki.fi>:
Bug#464170; Package wordpress. Full text and rfc822 format available.

Acknowledgement sent to Lionel Elie Mamane <lionel@mamane.lu>:
Extra info received and forwarded to list. Copy sent to Kai Hendry <hendry@iki.fi>. Full text and rfc822 format available.

Message #15 received at 464170@bugs.debian.org (full text, mbox):

From: Lionel Elie Mamane <lionel@mamane.lu>
To: 464170@bugs.debian.org
Subject: CVE-2008-0664: etch not vulnerable?
Date: Fri, 15 Feb 2008 19:36:03 +0100
Hi,

Is something happening for CVE-2008-0664 (wordpress xml-rpc can edit
other user's posts) on etch? Has someone determined etch is not
vulnerable, is an update being prepared, ...?

-- 
Lionel




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 15 Mar 2008 07:30:01 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 03:39:47 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.