Package: wordpress Severity: grave Version: 2.0.10-1etch3 Tags: security Hi,
The following CVE (Common Vulnerabilities & Exposures) id was published for KSES, which affects the embedded copy shipped in wordpress[0]. CVE-2008-1502[1]: > The _bad_protocol_once function in phpgwapi/inc/class.kses.inc.php in KSES, > as used in eGroupWare before 1.4.003, Moodle before 1.8.5, and other > products, allows remote attackers to bypass HTML filtering and conduct > cross-site scripting (XSS) attacks via a string containing crafted URL > protocols. It should be possible to either backport the patch from wordpress in lenny/sid or from moodle in sid. If you fix the vulnerability please also make sure to include the CVE id in the changelog entry. [0] usr/share/wordpress/wp-includes/kses.php [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1502 http://security-tracker.debian.net/tracker/CVE-2008-1502 Cheers, -- Raphael Geissert - Debian Maintainer www.debian.org - get.debian.net
signature.asc
Description: This is a digitally signed message part.
