Ubuntu
wordpress package

wordpress: security flaw in xml-rpc implementation

Bug #189479 reported by Emanuele Gentili on 2008-02-06

258

Affects		Status	Importance	Assigned to	Milestone
	wordpress (Debian)	Fix Released	Unknown	debbugs #464170
	wordpress (Ubuntu)	Fix Released	High	Unassigned

Bug Description

Binary package hint: wordpress

Source: wordpress
Severity: grave
Tags: security patch

A security issue in wordpress' xml-rpc implementation was found[0]:
WordPress 2.3.3 is an urgent security release. A flaw was found in our XML-RPC implementation such that a specially crafted request would allow any valid user to edit posts of any other user on that blog.

Looking at the latest changes on xml-rpc the following
changesets seem to be relevant:
http://trac.wordpress.org/changeset/6709
http://trac.wordpress.org/changeset/6714

Upstream ticket:
http://trac.wordpress.org/ticket/5313

A CVE id is currently pending for this.

<= Hardy Vulnerable, please open task.

Merge ready [1], I'm working on backport patch.

For further information:
[0] http://wordpress.org/development/2008/02/wordpress-233/
[1] http://dad.dunnewind.net/wordpress/

Related branches

lp:ubuntu/gutsy-security/wordpress

Revision history for this message

Emanuele Gentili (emgent) wrote on 2008-02-06:

#1

Hardy merge it's avaiable:
https://bugs.edge.launchpad.net/ubuntu/+source/wordpress/+bug/189481

Murat Gunes (mgunes) on 2008-02-06

Changed in wordpress:
importance:	Undecided → High

Bug Watch Updater (bug-watch-updater) on 2008-02-06

Changed in wordpress:
status:	Unknown → Fix Released

Revision history for this message

Emanuele Gentili (emgent) wrote on 2008-02-06:

#2

gutsy_wordpress_2.2.2-1ubuntu1.3.debdiff Edit (3.5 KiB, text/plain)

wordpress (2.2.2-1ubuntu1.3) gutsy-security; urgency=low

  * SECURITY UPDATE:
    - Fix for security flaw in XML-RPC implementation (LP: #189479)
  * References
    - http://trac.wordpress.org/ticket/5313

-- Emanuele Gentili <email address hidden> Wed, 06 Feb 2008 14:02:52 +0100

Revision history for this message

Launchpad Janitor (janitor) wrote on 2008-02-07:

#3

This bug was fixed in the package wordpress - 2.2.2-1ubuntu1.3

---------------
wordpress (2.2.2-1ubuntu1.3) gutsy-security; urgency=low

  * SECURITY UPDATE:
    - Fix for security flaw in XML-RPC implementation (LP: #189479)
  * References
    - http://trac.wordpress.org/ticket/5313

-- Emanuele Gentili <email address hidden> Wed, 06 Feb 2008 14:02:52 +0100

Changed in wordpress:
status:	New → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

gutsy_wordpress_2.2.2-1ubuntu1.3.debdiff Edit

Add patch

Remote bug watches

debbugs #464170
[done grave patch security] Edit
wordress-trac #5313
[fixed] Edit

Bug watches keep track of this bug in other bug trackers.