Date: 23 July 2012
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2012.0097.2
Wordpress 3.4.1 has been released
23 July 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: WordPress
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Increased Privileges -- Existing Account
Cross-site Scripting -- Existing Account
Access Confidential Data -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2012-3383 CVE-2012-3384 CVE-2012-3385
Member content until: Saturday, July 28 2012
Revision History: July 23 2012: Added CVE references
June 28 2012: Initial Release
OVERVIEW
Multiple vulnerabilities have been fixed in WordPress 3.4.1.[1]
IMPACT
The following information is available on the WordPress website:
" * Privilege Escalation/XSS. Critical. Administrators and editors in
multisite were accidentally allowed to use unfiltered_html for
3.4.0.
* CSRF. Additional CSRF protection in the customizer.
* Information Disclosure: Disclosure of post contents to authors and
contributors (such as private or draft posts).
* Hardening: Deprecate wp_explain_nonce(), which could reveal
unnecessary information.
* Hardening: Require a child theme to be activated with its intended
parent only." [1]
MITIGATION
Users should upgrade to the latest version. [2]
REFERENCES
[1] Version 3.4.1
http://codex.wordpress.org/Version_3.4.1
[2] Download WordPress
http://wordpress.org/download/
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUAzMY+4yVqjM2NGpAQJLww/6A0kMDOoOBwd4crEvIIaXrXxquqhsz6NW
/rpsEwg5r7sncZJp1rK7BCtAWa73Ii+Re32LJjyn3SCNwVGoFA3vAx88OgujgEWD
MxQFGPfy3d6NJGmzuvxv6vqzfH3buTt6VuXcW8VwEzNXuj7E2lzHNdUYWbVPuzrz
pNCsXUnUbVLngjPpOoUz3izY3Eyfi9jnZcq8UvoVfTkAZWJuz/0Psa1lFFEOPjRK
YXwW97DgoezZpcFNV5csLPaQthRsqgThe02gshgGMrg3oOhY1BjbTad0wf8GiP8r
HkpIGb5RZ8pOC2yHznFJVIzlfXJ8/VqMYGB078s5StslRogyE0jo4Vq+kb4QhwfS
CDZhZ1fWlzGXXgHwxJRO95izQZUnnJu+bpMNDRznCytqoHIGFVOrIzS8qt5bT/1O
ekNXtTDQFQDq1vPjG776zMWTF+Hj6YrDHTlkWIzp6iwxgoy8girghfM1iEmChBl0
k49bZGOIg4euR72rTl0n3lw1R4NxRcfSdTfGe4SAEc8kBI7VVkU+QbfNcKwvXGkU
P+96OabsDm6jwcOFLTVkx+wA8bUts4T73ttsNNEwnn6FZ8nCiO56yPNslbXR8Mzi
sGWryZ6p/J8GgQGPFPRo9YAsRrQFLmQszFRZcmTFQhpN0QYjk6eIuBzi0Q/MeslR
69E7cieAL9U=
=pN3B
-----END PGP SIGNATURE-----
|