Control: retitle -1 wordpress: 4.7.2 security release (CVE-2017-5610 CVE-2017-5611 CVE-2017-5612)
On Fri, Jan 27, 2017 at 07:15:10AM +0100, Salvatore Bonaccorso wrote: > Source: wordpress > Version: 4.7.1+dfsg-1 > Severity: grave > Tags: security upstream fixed-upstream > > Hi > > A new wordpress release was announced, marked as security release. > > Cf. http://www.openwall.com/lists/oss-security/2017/01/27/2 for the > CVE request for the three issues. CVE's have been assigned for those now: > [] 1/ The user interface for assigning taxonomy terms in Press This is shown > to > users who do not have permissions to use it. Reported by David Herrera of > Alley > Interactive. > https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454 Use CVE-2017-5610. > [] 2/ WP_Query is vulnerable to a SQL injection (SQLi) when passing unsafe > data. > WordPress core is not directly vulnerable to this issue, but we've added > hardening to prevent plugins and themes from accidentally causing a > vulnerability. Reported by Mo Jangda (batmoo). > https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb Use CVE-2017-5611. > [] 3/ A cross-site scripting (XSS) vulnerability was discovered in the posts > list > table. Reported by Ian Dunn of the WordPress Security Team. > https://github.com/WordPress/WordPress/commit/4482f9207027de8f36630737ae085110896ea849 Use CVE-2017-5612. Cf. http://www.openwall.com/lists/oss-security/2017/01/28/5 Regards, Salvatore