Control: retitle -1 wordpress: 4.7.2 security release (CVE-2017-5610 
CVE-2017-5611 CVE-2017-5612)

On Fri, Jan 27, 2017 at 07:15:10AM +0100, Salvatore Bonaccorso wrote:
> Source: wordpress
> Version: 4.7.1+dfsg-1
> Severity: grave
> Tags: security upstream fixed-upstream
> 
> Hi
> 
> A new wordpress release was announced, marked as security release.
> 
> Cf. http://www.openwall.com/lists/oss-security/2017/01/27/2 for the
> CVE request for the three issues.

CVE's have been assigned for those now:


> [] 1/ The user interface for assigning taxonomy terms in Press This is shown 
> to
> users who do not have permissions to use it. Reported by David Herrera of 
> Alley
> Interactive.
> https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454

Use CVE-2017-5610.


> [] 2/ WP_Query is vulnerable to a SQL injection (SQLi) when passing unsafe 
> data.
> WordPress core is not directly vulnerable to this issue, but we've added
> hardening to prevent plugins and themes from accidentally causing a
> vulnerability. Reported by Mo Jangda (batmoo).
> https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb

Use CVE-2017-5611.


> [] 3/ A cross-site scripting (XSS) vulnerability was discovered in the posts 
> list
> table. Reported by Ian Dunn of the WordPress Security Team.
> https://github.com/WordPress/WordPress/commit/4482f9207027de8f36630737ae085110896ea849

Use CVE-2017-5612.

Cf. http://www.openwall.com/lists/oss-security/2017/01/28/5

Regards,
Salvatore

Reply via email to