Package name
wordpress
Date
2013-07-02
Advisory ID
MDVSA-2013:189
Affected versions
MBS1 x86_64

Problem description

Updated wordpress package fixes security vulnerabilities:

A denial of service flaw was found in the way Wordpress, a blog tool
and publishing platform, performed hash computation when checking
password for password protected blog posts. A remote attacker could
provide a specially- crafted input that, when processed by the password
checking mechanism of Wordpress would lead to excessive CPU consumption
(CVE-2013-2173).

Inadequate SSRF protection for HTTP requests where the user can provide
a URL can allow for attacks against the intranet and other sites. This
is a continuation of work related to CVE-2013-0235, which was specific
to SSRF in pingback requests and was fixed in 3.5.1 (CVE-2013-2199).

Inadequate checking of a user's capabilities could allow them to
publish posts when their user role should not allow for it; and to
assign posts to other authors (CVE-2013-2200).

Inadequate escaping allowed an administrator to trigger a cross-site
scripting vulnerability through the uploading of media files and
plugins (CVE-2013-2201).

The processing of an oEmbed response is vulnerable to an XXE
(CVE-2013-2202).

If the uploads directory is not writable, error message data returned
via XHR will include a full path to the directory (CVE-2013-2203).

Content Spoofing in the MoxieCode (TinyMCE) MoxiePlayer project
(CVE-2013-2204).

Cross-domain XSS in SWFUpload (CVE-2013-2205).

Updated packages

MBS1 x86_64

 49ddd0392d475a3dbf886156127e279c  mbs1/x86_64/wordpress-3.5.2-1.mbs1.noarch.rpm 
 28910991fb4994c1afcc6c33768c09fd  mbs1/SRPMS/wordpress-3.5.2-1.mbs1.src.rpm

References