Author: derevko-guest Date: 2009-08-11 20:45:32 +0000 (Tue, 11 Aug 2009) New Revision: 12571 Modified: data/CVE/list data/ospu-candidates.txt data/spu-candidates.txt Log: etch and lenny are not affected by wordpress password reset issue Modified: data/CVE/list ==================================================================--- data/CVE/list 2009-08-11 20:38:42 UTC (rev 12570) +++ data/CVE/list 2009-08-11 20:45:32 UTC (rev 12571) @@ -1,11 +1,10 @@ CVE-2009-XXXX [wordpress password reset] - wordpress <unfixed> (low; bug #541102) - [lenny] - wordpress <no-dsa> (Minor issue) - [etch] - wordpress <no-dsa> (Minor issue) + [lenny] - wordpress <not-affected> (Vulnerable code not present) + [etch] - wordpress <not-affected> (Vulnerable code not present) NOTE: not really a security issue in my opinion, just an annoying bug NOTE: attacker can gain access to wordpress accounts, which is undesirable, NOTE: but not horribly useful or bad for the rest of the system - NOTE: this is targeted to be fixed in stable point releases CVE-2009-XXXX [libxerces2-java: xml-based firewall bypass / port scanning] - libxerces2-java <unfixed> (low; bug #540862) [etch] - libxerces2-java <no-dsa> (minor issue) Modified: data/ospu-candidates.txt ==================================================================--- data/ospu-candidates.txt 2009-08-11 20:38:42 UTC (rev 12570) +++ data/ospu-candidates.txt 2009-08-11 20:45:32 UTC (rev 12571) @@ -718,12 +718,6 @@ -- -wordpress -bug #541102 -notified maintainer - --- - wyrd (CVE-2008-0806) bug #466382 notified maintainer Modified: data/spu-candidates.txt ==================================================================--- data/spu-candidates.txt 2009-08-11 20:38:42 UTC (rev 12570) +++ data/spu-candidates.txt 2009-08-11 20:45:32 UTC (rev 12571) @@ -196,12 +196,6 @@ -- -wordpress -bug #541102 -notified maintainer - --- - xemacs21 (CVE-2008-2142) bug #480877 notified maintainer
Michael S. Gilbert
2009-Aug-11 20:55 UTC
[Secure-testing-team] [Secure-testing-commits] r12571 - in data: . CVE
On Tue, 11 Aug 2009 20:45:32 +0000, Giuseppe Iuculano wrote:> Author: derevko-guest > Date: 2009-08-11 20:45:32 +0000 (Tue, 11 Aug 2009) > New Revision: 12571 > > Modified: > data/CVE/list > data/ospu-candidates.txt > data/spu-candidates.txt > Log: > etch and lenny are not affected by wordpress password reset issueare you sure about this? i had checked lenny, and saw the vulnerable bit of code in wp-login.php. note that same code is also present in wp-content/plugins/akismet/akismet.php. mike
Giuseppe Iuculano
2009-Aug-12 04:27 UTC
[Secure-testing-team] [Secure-testing-commits] r12571 - in data: . CVE
Michael S. Gilbert ha scritto:> are you sure about this? i had checked lenny, and saw the vulnerable > bit of code in wp-login.php.I tried the PoF and it works only in 2.8.x. I didn''t investigate the code because it really seems just an annoying bug, not a security issue. Cheers, Giuseppe. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: OpenPGP digital signature URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20090812/03d84cad/attachment.pgp>
Michael S. Gilbert
2009-Aug-12 05:05 UTC
[Secure-testing-team] [Secure-testing-commits] r12571 - in data: . CVE
On Wed, 12 Aug 2009 06:27:35 +0200 Giuseppe Iuculano wrote:> Michael S. Gilbert ha scritto: > > > are you sure about this? i had checked lenny, and saw the vulnerable > > bit of code in wp-login.php. > > I tried the PoF and it works only in 2.8.x. > I didn''t investigate the code because it really seems just an annoying bug, not > a security issue.the proof-of-concept may be version-specific. it may just require minor modifications to be compatible with old versions. i think conclusions need to be drawn based on known vulnerable source, rather than checking against proof-of-concepts. besides, it is just a one line change to address the flaw. mike