Fedora Update Notification
2020-11-11 01:31:11.923301

Name        : wordpress
Product     : Fedora 31
Version     : 5.5.3
Release     : 1.fc31
URL         : https://www.wordpress.org
Summary     : Blog tool and publishing platform
Description :
Wordpress is an online publishing / weblog package that makes it very easy,
almost trivial, to get information out to people on the web.

Important information in /usr/share/doc/wordpress/README.fedora

Update Information:

**WordPress 5.5.3 Maintenance Release**  This maintenance release fixes an issue
introduced in WordPress 5.5.2 which makes it impossible to install WordPress on
a brand new website that does not have a database connection configured.  ----
**WordPress 5.5.2 Security and Maintenance Release**  **Security Updates**  *
Props to Alex Concha of the WordPress Security Team for their work in hardening
deserialization requests. *    Props to David Binovec on a fix to disable spam
embeds from disabled sites on a multisite network. *    Thanks to Marc Montas
from Sucuri for reporting an issue that could lead to XSS from global variables.
*    Thanks to Justin Tran who reported an issue surrounding privilege
escalation in XML-RPC. He also found and disclosed an issue around privilege
escalation around post commenting via XML-RPC. *    Props to Omar Ganiev who
reported a method where a DoS attack could lead to RCE. *    Thanks to Karim El
Ouerghemmi from RIPS who disclosed a method to store XSS in post slugs. *
Thanks to Slavco for reporting, and confirmation from Karim El Ouerghemmi, a
method to bypass protected meta that could lead to arbitrary file deletion. *
Thanks to Erwan LR from WPScan who responsibly disclosed a method that could
lead to CSRF. *    And a special thanks to @zieladam who was integral in many of
the releases and patches during this release.

* Sat Oct 31 2020 Remi Collet  - 5.5.3-1
- WordPress 5.5.3 Maintenance Release
* Fri Oct 30 2020 Remi Collet  - 5.5.2-1
- WordPress 5.5.2 Security and Maintenance Release

  [ 1 ] Bug #1894947 - CVE-2020-28032 wordpress: hardening deserialization requests
  [ 2 ] Bug #1894954 - CVE-2020-28033 wordpress: disable spam embeds from disabled sites on a multisite network
  [ 3 ] Bug #1894957 - CVE-2020-28035 wordpress: XML-RPC privilege escalation
  [ 4 ] Bug #1894962 - CVE-2020-28034 wordpress: XSS via global variables
  [ 5 ] Bug #1894966 - CVE-2020-28036 wordpress: privilege escalation by using XML-RPC to comment on a post
  [ 6 ] Bug #1894969 - CVE-2020-28037 wordpress: DoS attack could lead to RCE
  [ 7 ] Bug #1894974 - CVE-2020-28038 wordpress: stored XSS in post slugs
  [ 8 ] Bug #1894982 - CVE-2020-28039 wordpress: protected meta that could lead to arbitrary file deletion
  [ 9 ] Bug #1894995 - CVE-2020-28040 wordpress: CSRF attacks that change a theme's background image

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2020-15e15c35da' at the command
line. For more information, refer to the dnf documentation available at

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
package-announce mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/[email protected]