Bug#939543: wordpress: 5.2.3 fixes several XSS and other security bugs

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Bug#939543: wordpress: 5.2.3 fixes several XSS and other security bugs

Craig Small-2
Source: wordpress
Version: 5.2.2+dfsg1-1
Severity: normal
Tags: security

Wordpress has release 5.2.3 which fixes several security holes.

From https://wordpress.org/news/2019/09/wordpress-5-2-3-security-and-maintenance-release/

Security Updates
Props to Simon Scannell of RIPS Technologies for finding and disclosing two issues. The first, a cross-site scripting (XSS) vulnerability found in post previews by contributors. The second was a cross-site scripting vulnerability in stored comments.
Props to Tim Coen for disclosing an issue where validation and sanitization of a URL could lead to an open redirect.
Props to Anshul Jain for disclosing reflected cross-site scripting during media uploads.
Props to Zhouyuan Yang of Fortinet’s FortiGuard Labs who disclosed a vulnerability for cross-site scripting (XSS) in shortcode previews.
Props to Ian Dunn of the Core Security Team for finding and disclosing a case where reflected cross-site scripting could be found in the dashboard.
Props to Soroush Dalili (@irsdl) from NCC Group for disclosing an issue with URL sanitization that can lead to cross-site scripting (XSS) attacks.
In addition to the above changes, we are also updating jQuery on older versions of WordPress. This change was added in 5.2.1 and is now being brought to older versions.

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-5-amd64 (SMP w/6 CPU cores)
Locale: LANG=en_AU.utf8, LC_CTYPE=en_AU.utf8 (charmap=UTF-8), LANGUAGE=en_AU:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Reply | Threaded
Open this post in threaded view
|

Bug#939543: wordpress: 5.2.3 fixes several XSS and other security bugs

Salvatore Bonaccorso-4
Hi Craig,

On Fri, Sep 06, 2019 at 05:37:45PM +1000, Craig Small wrote:

> Source: wordpress
> Version: 5.2.2+dfsg1-1
> Severity: normal
> Tags: security
>
> Wordpress has release 5.2.3 which fixes several security holes.
>
> From https://wordpress.org/news/2019/09/wordpress-5-2-3-security-and-maintenance-release/
>
> Security Updates
> Props to Simon Scannell of RIPS Technologies for finding and disclosing two issues. The first, a cross-site scripting (XSS) vulnerability found in post previews by contributors. The second was a cross-site scripting vulnerability in stored comments.
> Props to Tim Coen for disclosing an issue where validation and sanitization of a URL could lead to an open redirect.
> Props to Anshul Jain for disclosing reflected cross-site scripting during media uploads.
> Props to Zhouyuan Yang of Fortinet’s FortiGuard Labs who disclosed a vulnerability for cross-site scripting (XSS) in shortcode previews.
> Props to Ian Dunn of the Core Security Team for finding and disclosing a case where reflected cross-site scripting could be found in the dashboard.
> Props to Soroush Dalili (@irsdl) from NCC Group for disclosing an issue with URL sanitization that can lead to cross-site scripting (XSS) attacks.
> In addition to the above changes, we are also updating jQuery on older versions of WordPress. This change was added in 5.2.1 and is now being brought to older versions.

I guess you can/will ask for CVes for those issues? Can you report
those back here and on [hidden email] once known?

Regards,
Salvatore

Reply | Threaded
Open this post in threaded view
|

Bug#939543: wordpress: 5.2.3 fixes several XSS and other security bugs

Craig Small-2
Hi Salvatore,
  I'll go ask for them over the weekend. I'll look into backports for the relevant patches.  Definitely a festival of XSS going on for this one!

 - Craig


On Fri, 6 Sep 2019 at 17:47, Salvatore Bonaccorso <[hidden email]> wrote:
Hi Craig,

On Fri, Sep 06, 2019 at 05:37:45PM +1000, Craig Small wrote:
> Source: wordpress
> Version: 5.2.2+dfsg1-1
> Severity: normal
> Tags: security
>
> Wordpress has release 5.2.3 which fixes several security holes.
>
> From https://wordpress.org/news/2019/09/wordpress-5-2-3-security-and-maintenance-release/
>
> Security Updates
> Props to Simon Scannell of RIPS Technologies for finding and disclosing two issues. The first, a cross-site scripting (XSS) vulnerability found in post previews by contributors. The second was a cross-site scripting vulnerability in stored comments.
> Props to Tim Coen for disclosing an issue where validation and sanitization of a URL could lead to an open redirect.
> Props to Anshul Jain for disclosing reflected cross-site scripting during media uploads.
> Props to Zhouyuan Yang of Fortinet’s FortiGuard Labs who disclosed a vulnerability for cross-site scripting (XSS) in shortcode previews.
> Props to Ian Dunn of the Core Security Team for finding and disclosing a case where reflected cross-site scripting could be found in the dashboard.
> Props to Soroush Dalili (@irsdl) from NCC Group for disclosing an issue with URL sanitization that can lead to cross-site scripting (XSS) attacks.
> In addition to the above changes, we are also updating jQuery on older versions of WordPress. This change was added in 5.2.1 and is now being brought to older versions.

I guess you can/will ask for CVes for those issues? Can you report
those back here and on [hidden email] once known?

Regards,
Salvatore
Reply | Threaded
Open this post in threaded view
|

Bug#939543: wordpress: 5.2.3 fixes several XSS and other security bugs

Salvatore Bonaccorso-4
Hi Craig,

On Fri, Sep 06, 2019 at 06:43:17PM +1000, Craig Small wrote:
> Hi Salvatore,
>   I'll go ask for them over the weekend. I'll look into backports for the
> relevant patches.  Definitely a festival of XSS going on for this one!

Many thanks!

Regards,
Salvatore

Reply | Threaded
Open this post in threaded view
|

Bug#939543: wordpress: 5.2.3 fixes several XSS and other security bugs

Craig Small-2
That took longer than expected but I submitted 7 CVE ID requests into MITRE tonight.  I'm having trouble matching the changesets to the vulnerabilities (I know 3 of them only) which will make backporting harder.

 - Craig


Reply | Threaded
Open this post in threaded view
|

Bug#939543: wordpress: 5.2.3 fixes several XSS and other security bugs

Salvatore Bonaccorso-4
Hi!

On Wed, Sep 11, 2019 at 08:44:11PM +1000, Craig Small wrote:
> That took longer than expected but I submitted 7 CVE ID requests into MITRE
> tonight.  I'm having trouble matching the changesets to the vulnerabilities
> (I know 3 of them only) which will make backporting harder.

So it looks all those got assigned:

        CVE-2019-16217
        CVE-2019-16218
        CVE-2019-16219
        CVE-2019-16220
        CVE-2019-16221
        CVE-2019-16222
        CVE-2019-16223

Can upstream be conviced in some way to share more information on the
needed isolated fixes?

Regards,
Salvatore