Ubuntu
wordpress-shibboleth package

[CVE] XSS security flaw due to add_query_arg

  1. Trusty (14.04)
  2. Bug #1718571
Bug #1718571 reported by Simon Quigley
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
wordpress-shibboleth (Ubuntu)
Fix Released
Medium
Simon Quigley
Ubuntu ubuntu-17.09
Trusty
Fix Released
Medium
Simon Quigley
Ubuntu trusty-updates
Xenial
Fix Released
Medium
Simon Quigley
Ubuntu xenial-updates
Zesty
Fix Released
Medium
Simon Quigley
Ubuntu zesty-updates
Artful
Fix Released
Medium
Simon Quigley
Ubuntu ubuntu-17.09

Bug Description

The shibboleth_login_form function in shibboleth.php in the Shibboleth plugin before 1.8 for WordPress is prone to an XSS vulnerability due to improper use of add_query_arg().

This has been fixed upstream here: https://github.com/michaelryanmcneill/shibboleth/commit/1d65ad6786282d23ba1865f56e2fd19188e7c26a

CVE References

Revision history for this message
Simon Quigley (tsimonq2) wrote :

Fix from stretch-security uploaded to Artful: https://launchpad.net/ubuntu/+source/wordpress-shibboleth/1.4-2+deb9u1

I'll get updates for Trusty-Zesty within the next week or so.

Changed in wordpress-shibboleth (Ubuntu Trusty):
assignee: nobody → Simon Quigley (tsimonq2)
Changed in wordpress-shibboleth (Ubuntu Xenial):
assignee: nobody → Simon Quigley (tsimonq2)
Changed in wordpress-shibboleth (Ubuntu Zesty):
assignee: nobody → Simon Quigley (tsimonq2)
importance: Undecided → Medium
Changed in wordpress-shibboleth (Ubuntu Xenial):
importance: Undecided → Medium
Changed in wordpress-shibboleth (Ubuntu Trusty):
importance: Undecided → Medium
Changed in wordpress-shibboleth (Ubuntu Zesty):
status: New → In Progress
Changed in wordpress-shibboleth (Ubuntu Xenial):
status: New → In Progress
Changed in wordpress-shibboleth (Ubuntu Trusty):
status: New → In Progress
Changed in wordpress-shibboleth (Ubuntu Artful):
status: In Progress → Fix Committed
Changed in wordpress-shibboleth (Ubuntu Trusty):
milestone: none → trusty-updates
Changed in wordpress-shibboleth (Ubuntu Xenial):
milestone: none → xenial-updates
Changed in wordpress-shibboleth (Ubuntu Zesty):
milestone: none → zesty-updates
Changed in wordpress-shibboleth (Ubuntu Artful):
milestone: none → ubuntu-17.09
Simon Quigley (tsimonq2)
Changed in wordpress-shibboleth (Ubuntu Artful):
status: Fix Committed → Fix Released
Revision history for this message
Simon Quigley (tsimonq2) wrote :

Security team, please fake sync the updates from Debian to Trusty, Xenial, and Zesty. The updates work fine on all of those releases.

Revision history for this message
Tyler Hicks (tyhicks) wrote :

This bug is fixed with the following updates:
1.4-2+deb8u1build0.17.04.2 zesty-security
1.4-2+deb8u1build0.16.04.2 xenial-security
1.4-2+deb8u1build0.14.04.2 trusty-security

Changed in wordpress-shibboleth (Ubuntu Trusty):
status: In Progress → Fix Released
Changed in wordpress-shibboleth (Ubuntu Xenial):
status: In Progress → Fix Released
Changed in wordpress-shibboleth (Ubuntu Zesty):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.