> CVE-2013-4338[0]: > Unsafe PHP unserialization https://core.trac.wordpress.org/changeset/25325
It is very vague how that was a security bug. The code change doesn't actually make the default mode of is_serialized() any stricter, that is unchanged. Rather, it implements a new, more-relaxed check that can be used to prevent something being stored in MySQL which, after being truncated due to another bug, something else might be able to wrongly deserialise later... it's a very poor way to fix what is really unsafe coding all over the place. It mitigates this specific exploit though. The original researcher explains the original vulnerability here: http://vagosec.org/2013/09/wordpress-php-object-injection/ Regards, -- Steven Chamberlain ste...@pyro.eu.org -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
