Ubuntu
wordpress package

security fixes since 3.8.2

Bug #1395336 reported by Kees Cook on 2014-11-22

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	wordpress (Ubuntu)	Invalid	Undecided	Unassigned
	Trusty	Fix Released	Undecided	Unassigned

Bug Description

Several security fixes have been made since Trusty's 3.8.2 release of wordpress:

http://codex.wordpress.org/Version_3.8.3
http://codex.wordpress.org/Version_3.8.4
http://codex.wordpress.org/Version_3.8.5

See original description

Tags:

Related branches

lp:ubuntu/trusty-security/wordpress

CVE References

Revision history for this message

Kees Cook (kees) wrote on 2014-11-22:

#1

wordpress-3.8.3.patch Edit (6.2 KiB, text/plain)

tags:

added: patch

Revision history for this message

Kees Cook (kees) wrote on 2014-11-22:

#2

wordpress-3.8.4.patch Edit (12.0 KiB, text/plain)

information type:

Public → Public Security

Revision history for this message

Kees Cook (kees) wrote on 2014-11-22:

#4

Can I self-ACK?

Changed in wordpress (Ubuntu Trusty):
status:	New → Confirmed
tags:	added: security-verification
Changed in wordpress (Ubuntu Trusty):
status:	Confirmed → In Progress

Revision history for this message

Kees Cook (kees) wrote on 2014-11-22:

#5

wordpress-3.8.5.patch Edit (11.0 KiB, text/plain)

description:

updated

Revision history for this message

Kees Cook (kees) wrote on 2014-11-22:

#6

wordpress_3.8.2+dfsg-1ubuntu0.1.debdiff Edit (33.5 KiB, text/plain)

Revision history for this message

Launchpad Janitor (janitor) wrote on 2014-11-22:

#7

This bug was fixed in the package wordpress - 3.8.2+dfsg-1ubuntu0.1

---------------
wordpress (3.8.2+dfsg-1ubuntu0.1) trusty-security; urgency=medium

  * SECURITY UPDATE: upstream security and bug fixes (LP: #1395336):
    - 3.8.3:
      - Post collision bug fix (wp-admin/includes/post.php)
    - 3.8.4:
      - CVE-2014-2053 (wp-includes/ID3/getid3.lib.php)
      - CVE-2014-5265 CVE-2014-5266 (wp-includes/class-IXR.php)
      - CVE-2014-5204 CVE-2014-5205 CVE-2014-5240 (wp-includes/pluggable.php)
      - Constant time wp_verify_nonce (wp-includes/compat.php)
    - 3.8.5:
      - three cross-site scripting issues
      - cross-site request forgery to trigger password change
      - DoS when passwords are checked
      - protections against server-side request forgery attacks
      - hash collision on pre-2008 logins
      - invalidate links from password reset emails after use
-- Kees Cook <email address hidden> Sat, 22 Nov 2014 07:50:29 -0800

Changed in wordpress (Ubuntu Trusty):
status:	In Progress → Fix Released

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2014-11-24:

#8

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Changed in wordpress (Ubuntu):
status:	New → Triaged
status:	Triaged → Incomplete
Changed in wordpress (Ubuntu Trusty):
status:	Fix Released → Incomplete

Marc Deslauriers (mdeslaur) on 2014-11-24

Changed in wordpress (Ubuntu Trusty):
status:	Incomplete → Fix Released
Changed in wordpress (Ubuntu):
status:	Incomplete → Invalid

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.