[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] CVE request: Wordpress 2.8.6
From: Josh Bressers <bressers () redhat ! com>
Date: 2009-11-16 21:24:47
Message-ID: 1721505702.99771258406687618.JavaMail.root () zmail01 ! collab ! prod ! int ! phx2 ! redhat ! com
[Download RAW message or body]
Let's use these:
CVE-2009-3890 wordpress OSVDB 59958
CVE-2009-3891 wordpress OSVDB 59959
Thanks.
--
JB
----- "security curmudgeon" <jericho@attrition.org> wrote:
> On Sun, 15 Nov 2009, Alex Legler wrote:
>
> : Wordpress released an update, fixing 2 issues:
> :
> : "2.8.6 fixes two security problems that can be exploited by
> registered,
> : logged in users who have posting privileges. If you have untrusted
>
> : authors on your blog, upgrading to 2.8.6 is recommended.
> :
> : The first problem is an XSS vulnerability in Press This discovered
> by
> : Benjamin Flesch. The second problem, discovered by Dawid Golunski,
> is
> : an issue with sanitizing uploaded file names that can be exploited
> in
> : certain Apache configurations. Thanks to Benjamin and Dawid for
> finding
> : and reporting these."
> :
> : from
> :
> http://wordpress.org/development/2009/11/wordpress-2-8-6-security-release/
> :
> : I believe these are the matching tickets:
> : Issue 1: http://core.trac.wordpress.org/ticket/11119
> : Issue 2: http://core.trac.wordpress.org/ticket/11122
>
> OSVDB Disclosure Title
>
> 59958 2009-11-12 WordPress /wp-includes/functions.php
> wp_check_filetype() Function File Upload Arbitrary Code Execution
>
> 59959 2009-11-12 WordPress press-this.php Unspecified XSS
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic