[SECURITY] Fedora 21 Update: wordpress-4.2.4-1.fc21

updates at fedoraproject.org updates at fedoraproject.org
Thu Aug 13 16:54:48 UTC 2015 

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2015-12148
2015-07-29 21:38:44
--------------------------------------------------------------------------------

Name        : wordpress
Product     : Fedora 21
Version     : 4.2.4
Release     : 1.fc21
URL         : http://www.wordpress.org
Summary     : Blog tool and publishing platform
Description :
Wordpress is an online publishing / weblog package that makes it very easy,
almost trivial, to get information out to people on the web.

Important information in /usr/share/doc/wordpress/README.fedora

--------------------------------------------------------------------------------
Update Information:

**WordPress 4.2.4 Security and Maintenance Release**

WordPress 4.2.4 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

This release addresses six issues, including three cross-site scripting vulnerabilities and a potential SQL injection that could be used to compromise a site, which were discovered by Marc-Alexandre Montpas of Sucuri, Helen Hou-Sandí of the WordPress security team, Netanel Rubin of Check Point, and Ivan Grigorov. It also includes a fix for a potential timing side-channel attack, discovered by Johannes Schmitt of Scrutinizer, and prevents an attacker from locking a post from being edited, discovered by Mohamed A. Baset.

Our thanks to those who have practiced responsible disclosure of security issues.

WordPress 4.2.4 also fixes four bugs. For more information, see:
 the release notes or consult the list of changes.
* the release notes: https://codex.wordpress.org/Version_4.2.4
* the list of changes: https://core.trac.wordpress.org/log/branches/4.2?rev=33573&stop_rev=33396

**WordPress 4.2.3 Security and Maintenance Release**

WordPress 4.2.3 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.2.2 and earlier are affected by a cross-site scripting vulnerability, which could allow users with the Contributor or Author role to compromise a site. This was initially reported by Jon Cave and fixed by Robert Chapin, both of the WordPress security team, and later reported by Jouko Pynnönen.

We also fixed an issue where it was possible for a user with Subscriber permissions to create a draft through Quick Draft. Reported by Netanel Rubin from Check Point Software Technologies.

Our thanks to those who have practiced responsible disclosure of security issues.

WordPress 4.2.3 also contains fixes for 20 bugs from 4.2. For more information, see:
* the release notes: https://codex.wordpress.org/Version_4.2.3
* the list of changes: https://core.trac.wordpress.org/log/branches/4.2?rev=33382&stop_rev=32430

--------------------------------------------------------------------------------
ChangeLog:

* Tue Aug  4 2015 Remi Collet <remi at fedoraproject.org> - 4.2.4-1
- WordPress 4.2.4 Security and Maintenance Release
* Fri Jul 24 2015 Remi Collet <remi at fedoraproject.org> - 4.2.3-1
- WordPress 4.2.3 Security and Maintenance Release
* Thu May  7 2015 Remi Collet <remi at fedoraproject.org> - 4.2.2-1
- WordPress 4.2.2 Security and Maintenance Release
* Tue Apr 28 2015 Remi Collet <remi at fedoraproject.org> - 4.2.1-1
- WordPress 4.2.1 Security Release
- WordPress 4.2 “Powell”
* Fri Apr 24 2015 Remi Collet <remi at fedoraproject.org> - 4.1.3-1
- WordPress 4.1.3 Maintenance Release
* Thu Apr 23 2015 Remi Collet <remi at fedoraproject.org> - 4.1.2-1
- WordPress 4.1.2 Security Release
* Thu Feb 19 2015 Remi Collet <remi at fedoraproject.org> - 4.1.1-1
- WordPress 4.1.1 Maintenance Release
* Mon Dec 22 2014 Remi Collet <remi at fedoraproject.org> - 4.1-1
- WordPress 4.1 “Dinah”
* Fri Nov 21 2014 Remi Collet <remi at fedoraproject.org> - 4.0.1-1
- WordPress 4.0.1 Security Release
* Tue Sep 30 2014 Remi Collet <remi at fedoraproject.org> - 4.0-3
- use system php-getid3 when available #1145574
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1246396 - CVE-2015-5622 CVE-2015-5623 wordpress: cross-site scripting and permission issue fixed in wordpress 4.2.3
        https://bugzilla.redhat.com/show_bug.cgi?id=1246396
  [ 2 ] Bug #1250583 - CVE-2015-2213 CVE-2015-5730 CVE-2015-5731 CVE-2015-5732 CVE-2015-5733 CVE-2015-5734 wordpress: cross-site scripting vulnerabilities and a potential SQL injection
        https://bugzilla.redhat.com/show_bug.cgi?id=1250583
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use
su -c 'yum update wordpress' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

More information about the package-announce mailing list