On Sun, Nov 05, 2017 at 09:51:43AM +0100, Salvatore Bonaccorso wrote: > Source: wordpress > Version: 4.8.3+dfsg-1 > Severity: normal > Tags: security upstream > Forwarded: https://core.trac.wordpress.org/ticket/21022 > Control: found -1 4.1+dfsg-1 > > Hi, > > the following vulnerability was published for wordpress, this > bugreport is mainly just to track the upstream report. A patch has > been posted several months ago on that upstream bugreport at [1]/ > > CVE-2012-6707[0]: > | WordPress through 4.8.2 uses a weak MD5-based password hashing > | algorithm, which makes it easier for attackers to determine cleartext > | values by leveraging access to the hash values. NOTE: the approach to > | changing this may not be fully compatible with certain use cases, such > | as migration of a WordPress site from a web host that uses a recent PHP > | version to a different web host that uses PHP 5.2. These use cases are > | plausible (but very unlikely) based on statistics showing widespread > | deployment of WordPress with obsolete PHP versions. > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2012-6707 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6707 > [1] https://core.trac.wordpress.org/ticket/21022
Looks this got fixed in https://core.trac.wordpress.org/changeset/59828 . Regards, Salvatore
