Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 15 Dec 2018 15:03:45 +0000 (UTC)
From:      Jochen Neumeister <joneum@FreeBSD.org>
To:        ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org
Subject:   svn commit: r487518 - head/security/vuxml
Message-ID:  <201812151503.wBFF3jPL069011@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: joneum
Date: Sat Dec 15 15:03:44 2018
New Revision: 487518
URL: https://svnweb.freebsd.org/changeset/ports/487518

Log:
  Document wordpress issues
  
  Sponsored by:	Netzkommune GmbH

Modified:
  head/security/vuxml/vuln.xml

Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml	Sat Dec 15 15:03:11 2018	(r487517)
+++ head/security/vuxml/vuln.xml	Sat Dec 15 15:03:44 2018	(r487518)
@@ -58,6 +58,59 @@ Notes:
   * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">;
+  <vuln vid="4b98613c-0078-11e9-b05b-00e04c1ea73d">
+    <topic>wordpress -- multiple issues</topic>
+    <affects>
+      <package>
+	<name>wordpress</name>
+	<name>fr-wordpress</name>
+	<range><lt>5.0.1,1</lt></range>
+      </package>
+      <package>
+	<name>de-wordpress</name>
+	<name>zh_CN-wordpress</name>
+	<name>zh_TW-wordpress</name>
+	<name>ja-wordpress</name>
+	<name>ru-wordpress</name>
+	<range><lt>5.0.1</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">;
+	<p>wordpress developers reports:</p>
+	<blockquote cite="https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/">;
+	  <p>WordPress versions 5.0 and earlier are affected by the following bugs, which are
+	    fixed in version 5.0.1. Updated versions of WordPress 4.9 and older releases are
+	    also available, for users who have not yet updated to 5.0.</p>
+	  <p>Karim El Ouerghemmi discovered that authors could alter meta data to delete files
+	    that they weren’t authorized to.</p>
+	  <p>Simon Scannell of RIPS Technologies discovered that authors could create posts of
+	    unauthorized post types with specially crafted input.</p>
+	  <p>Sam Thomas discovered that contributors could craft meta data in a way that resulted
+	    in PHP object injection.</p>
+	  <p>Tim Coen discovered that contributors could edit new comments from higher-privileged
+	    users, potentially leading to a cross-site scripting vulnerability.</p>
+	  <p>Tim Coen also discovered that specially crafted URL inputs could lead to a cross-site
+	    scripting vulnerability in some circumstances. WordPress itself was not affected,
+	    but plugins could be in some situations.</p>
+	  <p>Team Yoast discovered that the user activation screen could be indexed by search
+	    engines in some uncommon configurations, leading to exposure of email addresses,
+	    and in some rare cases, default generated passwords.</p>
+	  <p>Tim Coen and Slavco discovered that authors on Apache-hosted sites could upload
+	    specifically crafted files that bypass MIME verification, leading to a cross-site
+	    scripting vulnerability.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <url>https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/</url>;
+    </references>
+    <dates>
+      <discovery>2018-12-13</discovery>
+      <entry>2018-12-15</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="293f40a0-ffa1-11e8-b258-0011d823eebd">
     <topic>Mbed TLS -- Local timing attack on RSA decryption</topic>
     <affects>



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201812151503.wBFF3jPL069011>