-------------------------------------------------------------------------------- Fedora EPEL Update Notification FEDORA-EPEL-2013-0237 2013-02-01 12:39:06 --------------------------------------------------------------------------------
Name : wordpress Product : Fedora EPEL 5 Version : 3.5.1 Release : 2.el5 URL : http://www.wordpress.org Summary : Blog tool and publishing platform Description : Wordpress is an online publishing / weblog package that makes it very easy, almost trivial, to get information out to people on the web.
-------------------------------------------------------------------------------- Update Information:
WordPress 3.5.1 is now available. Version 3.5.1 is the first maintenance release of 3.5, fixing 37 bugs. It is also a security release for all previous WordPress versions. Which include:
* Editor: Prevent certain HTML elements from being unexpectedly removed or modified in rare cases. * Media: Fix a collection of minor workflow and compatibility issues in the new media manager. * Networks: Suggest proper rewrite rules when creating a new network. * Prevent scheduled posts from being stripped of certain HTML, such as video embeds, when they are published. * Work around some misconfigurations that may have caused some JavaScript in the WordPress admin area to fail. * Suppress some warnings that could occur when a plugin misused the database or user APIs.
WordPress 3.5.1 also addresses the following security issues:
* A server-side request forgery vulnerability and remote port scanning using pingbacks. This vulnerability, which could potentially be used to expose information and compromise a site, affects all previous WordPress versions. This was fixed by the WordPress security team. We’d like to thank security researchers Gennady Kovshenin and Ryan Dewhurst for reviewing our work. * Two instances of cross-site scripting via shortcodes and post content. These issues were discovered by Jon Cave of the WordPress security team. * A cross-site scripting vulnerability in the external library Plupload. Thanks to the Moxiecode team for working with us on this, and for releasing Plupload 1.5.5 to address this issue.
-------------------------------------------------------------------------------- References:
[ 1 ] Bug #904120 - CVE-2013-0235 wordpress: Server-side request forgery and remote port scanning using pingbacks https://bugzilla.redhat.com/show_bug.cgi?id=904120 [ 2 ] Bug #904121 - wordpress: XSS flaws via shortcodes and HTTP POST content https://bugzilla.redhat.com/show_bug.cgi?id=904121 [ 3 ] Bug #904122 - wordpress: XSS in the external Plupload library https://bugzilla.redhat.com/show_bug.cgi?id=904122 --------------------------------------------------------------------------------
This update can be installed with the "yum" update programs. Use su -c 'yum update wordpress' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora EPEL GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys --------------------------------------------------------------------------------
epel-package-announce@lists.fedoraproject.org