You are here
Home > Preporuke > Sigurnosni nedostaci programskog paketa wordpress

Sigurnosni nedostaci programskog paketa wordpress

——————————————————————————–
Fedora Update Notification
FEDORA-2020-a764b11b52
2020-11-11 01:17:49.473225
——————————————————————————–

Name : wordpress
Product : Fedora 33
Version : 5.5.3
Release : 1.fc33
URL : http://www.wordpress.org
Summary : Blog tool and publishing platform
Description :
WordPress is an online publishing / weblog package that makes it very easy,
almost trivial, to get information out to people on the web.

Important information in /usr/share/doc/wordpress/README.fedora

——————————————————————————–
Update Information:

**WordPress 5.5.3 Maintenance Release** This maintenance release fixes an issue
introduced in WordPress 5.5.2 which makes it impossible to install WordPress on
a brand new website that does not have a database connection configured. —-
**WordPress 5.5.2 Security and Maintenance Release** **Security Updates** *
Props to Alex Concha of the WordPress Security Team for their work in hardening
deserialization requests. * Props to David Binovec on a fix to disable spam
embeds from disabled sites on a multisite network. * Thanks to Marc Montas
from Sucuri for reporting an issue that could lead to XSS from global variables.
* Thanks to Justin Tran who reported an issue surrounding privilege
escalation in XML-RPC. He also found and disclosed an issue around privilege
escalation around post commenting via XML-RPC. * Props to Omar Ganiev who
reported a method where a DoS attack could lead to RCE. * Thanks to Karim El
Ouerghemmi from RIPS who disclosed a method to store XSS in post slugs. *
Thanks to Slavco for reporting, and confirmation from Karim El Ouerghemmi, a
method to bypass protected meta that could lead to arbitrary file deletion. *
Thanks to Erwan LR from WPScan who responsibly disclosed a method that could
lead to CSRF. * And a special thanks to @zieladam who was integral in many of
the releases and patches during this release.
——————————————————————————–
ChangeLog:

* Sat Oct 31 2020 Remi Collet <remi@remirepo.net> – 5.5.3-1
– WordPress 5.5.3 Maintenance Release
* Fri Oct 30 2020 Remi Collet <remi@remirepo.net> – 5.5.2-1
– WordPress 5.5.2 Security and Maintenance Release
* Tue Oct 20 2020 Remi Collet <remi@remirepo.net> – 5.5.1-2
– Change FS_METHOD default to ‘direct’ to allow enabling FILE_MODS #1889644
——————————————————————————–
References:

[ 1 ] Bug #1894947 – CVE-2020-28032 wordpress: hardening deserialization requests
https://bugzilla.redhat.com/show_bug.cgi?id=1894947
[ 2 ] Bug #1894954 – CVE-2020-28033 wordpress: disable spam embeds from disabled sites on a multisite network
https://bugzilla.redhat.com/show_bug.cgi?id=1894954
[ 3 ] Bug #1894957 – CVE-2020-28035 wordpress: XML-RPC privilege escalation
https://bugzilla.redhat.com/show_bug.cgi?id=1894957
[ 4 ] Bug #1894962 – CVE-2020-28034 wordpress: XSS via global variables
https://bugzilla.redhat.com/show_bug.cgi?id=1894962
[ 5 ] Bug #1894966 – CVE-2020-28036 wordpress: privilege escalation by using XML-RPC to comment on a post
https://bugzilla.redhat.com/show_bug.cgi?id=1894966
[ 6 ] Bug #1894969 – CVE-2020-28037 wordpress: DoS attack could lead to RCE
https://bugzilla.redhat.com/show_bug.cgi?id=1894969
[ 7 ] Bug #1894974 – CVE-2020-28038 wordpress: stored XSS in post slugs
https://bugzilla.redhat.com/show_bug.cgi?id=1894974
[ 8 ] Bug #1894982 – CVE-2020-28039 wordpress: protected meta that could lead to arbitrary file deletion
https://bugzilla.redhat.com/show_bug.cgi?id=1894982
[ 9 ] Bug #1894995 – CVE-2020-28040 wordpress: CSRF attacks that change a theme’s background image
https://bugzilla.redhat.com/show_bug.cgi?id=1894995
——————————————————————————–

This update can be installed with the “dnf” update program. Use
su -c ‘dnf upgrade –advisory FEDORA-2020-a764b11b52’ at the command
line. For more information, refer to the dnf documentation available at
https://protect2.fireeye.com/v1/url?k=d900ecbe-869cf6a0-d9077172-000babd90757-de44d701d2c19d23&q=1&e=6b364a33-9ae9-4904-85a4-739663c4ed57&u=http%3A%2F%2Fdnf.readthedocs.io%2Fen%2Flatest%2Fcommand_ref.html%23upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list — package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org

——————————————————————————–
Fedora Update Notification
FEDORA-2020-b386fac43a
2020-11-11 01:19:50.943602
——————————————————————————–

Name : wordpress
Product : Fedora 32
Version : 5.5.3
Release : 1.fc32
URL : http://www.wordpress.org
Summary : Blog tool and publishing platform
Description :
WordPress is an online publishing / weblog package that makes it very easy,
almost trivial, to get information out to people on the web.

Important information in /usr/share/doc/wordpress/README.fedora

——————————————————————————–
Update Information:

**WordPress 5.5.3 Maintenance Release** This maintenance release fixes an issue
introduced in WordPress 5.5.2 which makes it impossible to install WordPress on
a brand new website that does not have a database connection configured. —-
**WordPress 5.5.2 Security and Maintenance Release** **Security Updates** *
Props to Alex Concha of the WordPress Security Team for their work in hardening
deserialization requests. * Props to David Binovec on a fix to disable spam
embeds from disabled sites on a multisite network. * Thanks to Marc Montas
from Sucuri for reporting an issue that could lead to XSS from global variables.
* Thanks to Justin Tran who reported an issue surrounding privilege
escalation in XML-RPC. He also found and disclosed an issue around privilege
escalation around post commenting via XML-RPC. * Props to Omar Ganiev who
reported a method where a DoS attack could lead to RCE. * Thanks to Karim El
Ouerghemmi from RIPS who disclosed a method to store XSS in post slugs. *
Thanks to Slavco for reporting, and confirmation from Karim El Ouerghemmi, a
method to bypass protected meta that could lead to arbitrary file deletion. *
Thanks to Erwan LR from WPScan who responsibly disclosed a method that could
lead to CSRF. * And a special thanks to @zieladam who was integral in many of
the releases and patches during this release.
——————————————————————————–
ChangeLog:

* Sat Oct 31 2020 Remi Collet <remi@remirepo.net> – 5.5.3-1
– WordPress 5.5.3 Maintenance Release
* Fri Oct 30 2020 Remi Collet <remi@remirepo.net> – 5.5.2-1
– WordPress 5.5.2 Security and Maintenance Release
——————————————————————————–
References:

[ 1 ] Bug #1894947 – CVE-2020-28032 wordpress: hardening deserialization requests
https://bugzilla.redhat.com/show_bug.cgi?id=1894947
[ 2 ] Bug #1894954 – CVE-2020-28033 wordpress: disable spam embeds from disabled sites on a multisite network
https://bugzilla.redhat.com/show_bug.cgi?id=1894954
[ 3 ] Bug #1894957 – CVE-2020-28035 wordpress: XML-RPC privilege escalation
https://bugzilla.redhat.com/show_bug.cgi?id=1894957
[ 4 ] Bug #1894962 – CVE-2020-28034 wordpress: XSS via global variables
https://bugzilla.redhat.com/show_bug.cgi?id=1894962
[ 5 ] Bug #1894966 – CVE-2020-28036 wordpress: privilege escalation by using XML-RPC to comment on a post
https://bugzilla.redhat.com/show_bug.cgi?id=1894966
[ 6 ] Bug #1894969 – CVE-2020-28037 wordpress: DoS attack could lead to RCE
https://bugzilla.redhat.com/show_bug.cgi?id=1894969
[ 7 ] Bug #1894974 – CVE-2020-28038 wordpress: stored XSS in post slugs
https://bugzilla.redhat.com/show_bug.cgi?id=1894974
[ 8 ] Bug #1894982 – CVE-2020-28039 wordpress: protected meta that could lead to arbitrary file deletion
https://bugzilla.redhat.com/show_bug.cgi?id=1894982
[ 9 ] Bug #1894995 – CVE-2020-28040 wordpress: CSRF attacks that change a theme’s background image
https://bugzilla.redhat.com/show_bug.cgi?id=1894995
——————————————————————————–

This update can be installed with the “dnf” update program. Use
su -c ‘dnf upgrade –advisory FEDORA-2020-b386fac43a’ at the command
line. For more information, refer to the dnf documentation available at
https://protect2.fireeye.com/v1/url?k=aad9207f-f5453a61-aadebdb3-000babd90757-e764d423f6080a66&q=1&e=62a5bad1-1872-41f0-829c-bf65194f5042&u=http%3A%2F%2Fdnf.readthedocs.io%2Fen%2Flatest%2Fcommand_ref.html%23upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list — package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org

——————————————————————————–
Fedora Update Notification
FEDORA-2020-15e15c35da
2020-11-11 01:31:11.923301
——————————————————————————–

Name : wordpress
Product : Fedora 31
Version : 5.5.3
Release : 1.fc31
URL : http://www.wordpress.org
Summary : Blog tool and publishing platform
Description :
WordPress is an online publishing / weblog package that makes it very easy,
almost trivial, to get information out to people on the web.

Important information in /usr/share/doc/wordpress/README.fedora

——————————————————————————–
Update Information:

**WordPress 5.5.3 Maintenance Release** This maintenance release fixes an issue
introduced in WordPress 5.5.2 which makes it impossible to install WordPress on
a brand new website that does not have a database connection configured. —-
**WordPress 5.5.2 Security and Maintenance Release** **Security Updates** *
Props to Alex Concha of the WordPress Security Team for their work in hardening
deserialization requests. * Props to David Binovec on a fix to disable spam
embeds from disabled sites on a multisite network. * Thanks to Marc Montas
from Sucuri for reporting an issue that could lead to XSS from global variables.
* Thanks to Justin Tran who reported an issue surrounding privilege
escalation in XML-RPC. He also found and disclosed an issue around privilege
escalation around post commenting via XML-RPC. * Props to Omar Ganiev who
reported a method where a DoS attack could lead to RCE. * Thanks to Karim El
Ouerghemmi from RIPS who disclosed a method to store XSS in post slugs. *
Thanks to Slavco for reporting, and confirmation from Karim El Ouerghemmi, a
method to bypass protected meta that could lead to arbitrary file deletion. *
Thanks to Erwan LR from WPScan who responsibly disclosed a method that could
lead to CSRF. * And a special thanks to @zieladam who was integral in many of
the releases and patches during this release.
——————————————————————————–
ChangeLog:

* Sat Oct 31 2020 Remi Collet <remi@remirepo.net> – 5.5.3-1
– WordPress 5.5.3 Maintenance Release
* Fri Oct 30 2020 Remi Collet <remi@remirepo.net> – 5.5.2-1
– WordPress 5.5.2 Security and Maintenance Release
——————————————————————————–
References:

[ 1 ] Bug #1894947 – CVE-2020-28032 wordpress: hardening deserialization requests
https://bugzilla.redhat.com/show_bug.cgi?id=1894947
[ 2 ] Bug #1894954 – CVE-2020-28033 wordpress: disable spam embeds from disabled sites on a multisite network
https://bugzilla.redhat.com/show_bug.cgi?id=1894954
[ 3 ] Bug #1894957 – CVE-2020-28035 wordpress: XML-RPC privilege escalation
https://bugzilla.redhat.com/show_bug.cgi?id=1894957
[ 4 ] Bug #1894962 – CVE-2020-28034 wordpress: XSS via global variables
https://bugzilla.redhat.com/show_bug.cgi?id=1894962
[ 5 ] Bug #1894966 – CVE-2020-28036 wordpress: privilege escalation by using XML-RPC to comment on a post
https://bugzilla.redhat.com/show_bug.cgi?id=1894966
[ 6 ] Bug #1894969 – CVE-2020-28037 wordpress: DoS attack could lead to RCE
https://bugzilla.redhat.com/show_bug.cgi?id=1894969
[ 7 ] Bug #1894974 – CVE-2020-28038 wordpress: stored XSS in post slugs
https://bugzilla.redhat.com/show_bug.cgi?id=1894974
[ 8 ] Bug #1894982 – CVE-2020-28039 wordpress: protected meta that could lead to arbitrary file deletion
https://bugzilla.redhat.com/show_bug.cgi?id=1894982
[ 9 ] Bug #1894995 – CVE-2020-28040 wordpress: CSRF attacks that change a theme’s background image
https://bugzilla.redhat.com/show_bug.cgi?id=1894995
——————————————————————————–

This update can be installed with the “dnf” update program. Use
su -c ‘dnf upgrade –advisory FEDORA-2020-15e15c35da’ at the command
line. For more information, refer to the dnf documentation available at
https://protect2.fireeye.com/v1/url?k=a8affffc-f733e5e2-a8a86230-000babd90757-6fc6cffb018bb91a&q=1&e=d0670e93-aa91-4065-bd22-e743668e47ac&u=http%3A%2F%2Fdnf.readthedocs.io%2Fen%2Flatest%2Fcommand_ref.html%23upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list — package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org

Top
More in Preporuke
Sigurnosni nedostaci programskog paketa QEMU

Otkriveni su sigurnosni nedostaci u programskom paketu QEMU za operacijski sustav Gentoo. Otkriveni nedostaci potencijalnim napadačima omogućuju izazivanje DoS stanja,...

Close