--------------------------------------------------------------------------------Fedora Update Notification
FEDORA-2020-b386fac43a
2020-11-11 01:19:50.943602
--------------------------------------------------------------------------------Name        : wordpress
Product     : Fedora 32
Version     : 5.5.3
Release     : 1.fc32
URL         : https://wordpress.org/
Summary     : Blog tool and publishing platform
Description :
Wordpress is an online publishing / weblog package that makes it very easy,
almost trivial, to get information out to people on the web.

Important information in /usr/share/doc/wordpress/README.fedora

--------------------------------------------------------------------------------Update Information:

**WordPress 5.5.3 Maintenance Release**  This maintenance release fixes an issue
introduced in WordPress 5.5.2 which makes it impossible to install WordPress on
a brand new website that does not have a database connection configured.  ----**WordPress 5.5.2 Security and Maintenance Release**  **Security Updates**  *
Props to Alex Concha of the WordPress Security Team for their work in hardening
deserialization requests. *    Props to David Binovec on a fix to disable spam
embeds from disabled sites on a multisite network. *    Thanks to Marc Montas
from Sucuri for reporting an issue that could lead to XSS from global variables.
*    Thanks to Justin Tran who reported an issue surrounding privilege
escalation in XML-RPC. He also found and disclosed an issue around privilege
escalation around post commenting via XML-RPC. *    Props to Omar Ganiev who
reported a method where a DoS attack could lead to RCE. *    Thanks to Karim El
Ouerghemmi from RIPS who disclosed a method to store XSS in post slugs. *
Thanks to Slavco for reporting, and confirmation from Karim El Ouerghemmi, a
method to bypass protected meta that could lead to arbitrary file deletion. *
Thanks to Erwan LR from WPScan who responsibly disclosed a method that could
lead to CSRF. *    And a special thanks to @zieladam who was integral in many of
the releases and patches during this release.
--------------------------------------------------------------------------------ChangeLog:

* Sat Oct 31 2020 Remi Collet  - 5.5.3-1
- WordPress 5.5.3 Maintenance Release
* Fri Oct 30 2020 Remi Collet  - 5.5.2-1
- WordPress 5.5.2 Security and Maintenance Release
--------------------------------------------------------------------------------References:

  [ 1 ] Bug #1894947 - CVE-2020-28032 wordpress: hardening deserialization requests
        https://bugzilla.redhat.com/show_bug.cgi?id=1894947
  [ 2 ] Bug #1894954 - CVE-2020-28033 wordpress: disable spam embeds from disabled sites on a multisite network
        https://bugzilla.redhat.com/show_bug.cgi?id=1894954
  [ 3 ] Bug #1894957 - CVE-2020-28035 wordpress: XML-RPC privilege escalation
        https://bugzilla.redhat.com/show_bug.cgi?id=1894957
  [ 4 ] Bug #1894962 - CVE-2020-28034 wordpress: XSS via global variables
        https://bugzilla.redhat.com/show_bug.cgi?id=1894962
  [ 5 ] Bug #1894966 - CVE-2020-28036 wordpress: privilege escalation by using XML-RPC to comment on a post
        https://bugzilla.redhat.com/show_bug.cgi?id=1894966
  [ 6 ] Bug #1894969 - CVE-2020-28037 wordpress: DoS attack could lead to RCE
        https://bugzilla.redhat.com/show_bug.cgi?id=1894969
  [ 7 ] Bug #1894974 - CVE-2020-28038 wordpress: stored XSS in post slugs
        https://bugzilla.redhat.com/show_bug.cgi?id=1894974
  [ 8 ] Bug #1894982 - CVE-2020-28039 wordpress: protected meta that could lead to arbitrary file deletion
        https://bugzilla.redhat.com/show_bug.cgi?id=1894982
  [ 9 ] Bug #1894995 - CVE-2020-28040 wordpress: CSRF attacks that change a theme's background image
        https://bugzilla.redhat.com/show_bug.cgi?id=1894995
--------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2020-b386fac43a' at the command
line. For more information, refer to the dnf documentation available at
https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/security/
--------------------------------------------------------------------------------_______________________________________________
package-announce mailing list -- package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/

Fedora 32: wordpress 2020-b386fac43a

November 10, 2020
**WordPress 5.5.3 Maintenance Release** This maintenance release fixes an issue introduced in WordPress 5.5.2 which makes it impossible to install WordPress on a brand new website ...

Summary

Wordpress is an online publishing / weblog package that makes it very easy,

almost trivial, to get information out to people on the web.

Important information in /usr/share/doc/wordpress/README.fedora

**WordPress 5.5.3 Maintenance Release** This maintenance release fixes an issue

introduced in WordPress 5.5.2 which makes it impossible to install WordPress on

a brand new website that does not have a database connection configured. ----**WordPress 5.5.2 Security and Maintenance Release** **Security Updates** *

Props to Alex Concha of the WordPress Security Team for their work in hardening

deserialization requests. * Props to David Binovec on a fix to disable spam

embeds from disabled sites on a multisite network. * Thanks to Marc Montas

from Sucuri for reporting an issue that could lead to XSS from global variables.

* Thanks to Justin Tran who reported an issue surrounding privilege

escalation in XML-RPC. He also found and disclosed an issue around privilege

escalation around post commenting via XML-RPC. * Props to Omar Ganiev who

reported a method where a DoS attack could lead to RCE. * Thanks to Karim El

Ouerghemmi from RIPS who disclosed a method to store XSS in post slugs. *

Thanks to Slavco for reporting, and confirmation from Karim El Ouerghemmi, a

method to bypass protected meta that could lead to arbitrary file deletion. *

Thanks to Erwan LR from WPScan who responsibly disclosed a method that could

lead to CSRF. * And a special thanks to @zieladam who was integral in many of

the releases and patches during this release.

* Sat Oct 31 2020 Remi Collet - 5.5.3-1

- WordPress 5.5.3 Maintenance Release

* Fri Oct 30 2020 Remi Collet - 5.5.2-1

- WordPress 5.5.2 Security and Maintenance Release

[ 1 ] Bug #1894947 - CVE-2020-28032 wordpress: hardening deserialization requests

https://bugzilla.redhat.com/show_bug.cgi?id=1894947

[ 2 ] Bug #1894954 - CVE-2020-28033 wordpress: disable spam embeds from disabled sites on a multisite network

https://bugzilla.redhat.com/show_bug.cgi?id=1894954

[ 3 ] Bug #1894957 - CVE-2020-28035 wordpress: XML-RPC privilege escalation

https://bugzilla.redhat.com/show_bug.cgi?id=1894957

[ 4 ] Bug #1894962 - CVE-2020-28034 wordpress: XSS via global variables

https://bugzilla.redhat.com/show_bug.cgi?id=1894962

[ 5 ] Bug #1894966 - CVE-2020-28036 wordpress: privilege escalation by using XML-RPC to comment on a post

https://bugzilla.redhat.com/show_bug.cgi?id=1894966

[ 6 ] Bug #1894969 - CVE-2020-28037 wordpress: DoS attack could lead to RCE

https://bugzilla.redhat.com/show_bug.cgi?id=1894969

[ 7 ] Bug #1894974 - CVE-2020-28038 wordpress: stored XSS in post slugs

https://bugzilla.redhat.com/show_bug.cgi?id=1894974

[ 8 ] Bug #1894982 - CVE-2020-28039 wordpress: protected meta that could lead to arbitrary file deletion

https://bugzilla.redhat.com/show_bug.cgi?id=1894982

[ 9 ] Bug #1894995 - CVE-2020-28040 wordpress: CSRF attacks that change a theme's background image

https://bugzilla.redhat.com/show_bug.cgi?id=1894995

su -c 'dnf upgrade --advisory FEDORA-2020-b386fac43a' at the command

line. For more information, refer to the dnf documentation available at

https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

https://fedoraproject.org/security/

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/

FEDORA-2020-b386fac43a 2020-11-11 01:19:50.943602 Product : Fedora 32 Version : 5.5.3 Release : 1.fc32 URL : https://wordpress.org/ Summary : Blog tool and publishing platform Description : Wordpress is an online publishing / weblog package that makes it very easy, almost trivial, to get information out to people on the web. Important information in /usr/share/doc/wordpress/README.fedora **WordPress 5.5.3 Maintenance Release** This maintenance release fixes an issue introduced in WordPress 5.5.2 which makes it impossible to install WordPress on a brand new website that does not have a database connection configured. ----**WordPress 5.5.2 Security and Maintenance Release** **Security Updates** * Props to Alex Concha of the WordPress Security Team for their work in hardening deserialization requests. * Props to David Binovec on a fix to disable spam embeds from disabled sites on a multisite network. * Thanks to Marc Montas from Sucuri for reporting an issue that could lead to XSS from global variables. * Thanks to Justin Tran who reported an issue surrounding privilege escalation in XML-RPC. He also found and disclosed an issue around privilege escalation around post commenting via XML-RPC. * Props to Omar Ganiev who reported a method where a DoS attack could lead to RCE. * Thanks to Karim El Ouerghemmi from RIPS who disclosed a method to store XSS in post slugs. * Thanks to Slavco for reporting, and confirmation from Karim El Ouerghemmi, a method to bypass protected meta that could lead to arbitrary file deletion. * Thanks to Erwan LR from WPScan who responsibly disclosed a method that could lead to CSRF. * And a special thanks to @zieladam who was integral in many of the releases and patches during this release. * Sat Oct 31 2020 Remi Collet - 5.5.3-1 - WordPress 5.5.3 Maintenance Release * Fri Oct 30 2020 Remi Collet - 5.5.2-1 - WordPress 5.5.2 Security and Maintenance Release [ 1 ] Bug #1894947 - CVE-2020-28032 wordpress: hardening deserialization requests https://bugzilla.redhat.com/show_bug.cgi?id=1894947 [ 2 ] Bug #1894954 - CVE-2020-28033 wordpress: disable spam embeds from disabled sites on a multisite network https://bugzilla.redhat.com/show_bug.cgi?id=1894954 [ 3 ] Bug #1894957 - CVE-2020-28035 wordpress: XML-RPC privilege escalation https://bugzilla.redhat.com/show_bug.cgi?id=1894957 [ 4 ] Bug #1894962 - CVE-2020-28034 wordpress: XSS via global variables https://bugzilla.redhat.com/show_bug.cgi?id=1894962 [ 5 ] Bug #1894966 - CVE-2020-28036 wordpress: privilege escalation by using XML-RPC to comment on a post https://bugzilla.redhat.com/show_bug.cgi?id=1894966 [ 6 ] Bug #1894969 - CVE-2020-28037 wordpress: DoS attack could lead to RCE https://bugzilla.redhat.com/show_bug.cgi?id=1894969 [ 7 ] Bug #1894974 - CVE-2020-28038 wordpress: stored XSS in post slugs https://bugzilla.redhat.com/show_bug.cgi?id=1894974 [ 8 ] Bug #1894982 - CVE-2020-28039 wordpress: protected meta that could lead to arbitrary file deletion https://bugzilla.redhat.com/show_bug.cgi?id=1894982 [ 9 ] Bug #1894995 - CVE-2020-28040 wordpress: CSRF attacks that change a theme's background image https://bugzilla.redhat.com/show_bug.cgi?id=1894995 su -c 'dnf upgrade --advisory FEDORA-2020-b386fac43a' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ package-announce mailing list -- package-announce@lists.fedoraproject.org To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/

Change Log

References

Update Instructions

Severity
Product : Fedora 32
Version : 5.5.3
Release : 1.fc32
URL : https://wordpress.org/
Summary : Blog tool and publishing platform

Related News

4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved