[Secure-testing-commits] r30337 - data/CVE

[Salvatore Bonaccorso]

Author: carnil
Date: 2014-11-25 21:17:05 +0000 (Tue, 25 Nov 2014)
New Revision: 30337

Modified:
   data/CVE/list
Log:
CVEs for wordpress assigned

Modified: data/CVE/list
===================================================================
--- data/CVE/list	2014-11-25 21:13:42 UTC (rev 30336)
+++ data/CVE/list	2014-11-25 21:17:05 UTC (rev 30337)
@@ -28,10 +28,33 @@
 	- clamav 0.98.5+dfsg-1 (bug #770985)
 	NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=11155
 	NOTE: Upstream commit: https://github.com/vrtadmin/clamav-devel/commit/fc3794a54d2affe5770c1f876484a871c783e91e
-CVE-2014-XXXX [wordpress various vulnerabilities]
+CVE-2014-9039 [Previously an email address change would not invalidate a previous password reset email]
+        - wordpress 4.0.1+dfsg-1 (bug #770425)
+        NOTE: https://wordpress.org/news/2014/11/wordpress-4-0-1/
+CVE-2014-9038 [SSRF: Safe HTTP requests did not sufficiently block the loopback IP address space]
+        - wordpress 4.0.1+dfsg-1 (bug #770425)
+        NOTE: https://wordpress.org/news/2014/11/wordpress-4-0-1/
+CVE-2014-9037 [Hash comparison vulnerability in old-style MD5-stored passwords]
+        - wordpress 4.0.1+dfsg-1 (bug #770425)
+        NOTE: https://wordpress.org/news/2014/11/wordpress-4-0-1/
+CVE-2014-9036 [XSS in HTML filtering of CSS in posts]
+        - wordpress 4.0.1+dfsg-1 (bug #770425)
+        NOTE: https://wordpress.org/news/2014/11/wordpress-4-0-1/
+CVE-2014-9035 [XSS in Press This]
+        - wordpress 4.0.1+dfsg-1 (bug #770425)
+        NOTE: https://wordpress.org/news/2014/11/wordpress-4-0-1/
+CVE-2014-9034 [Denial of service for giant passwords]
+        - wordpress 4.0.1+dfsg-1 (bug #770425)
+        NOTE: https://wordpress.org/news/2014/11/wordpress-4-0-1/
+CVE-2014-9033 [CSRF in the password reset process]
+        - wordpress 4.0.1+dfsg-1 (bug #770425)
+        NOTE: https://wordpress.org/news/2014/11/wordpress-4-0-1/
+CVE-2014-9032 [XSS in media playlists]
+        - wordpress 4.0.1+dfsg-1 (bug #770425)
+        NOTE: https://wordpress.org/news/2014/11/wordpress-4-0-1/
+CVE-2014-9031 [XSS in wptexturize() via comments or posts]
 	- wordpress 4.0.1+dfsg-1 (bug #770425)
 	NOTE: https://wordpress.org/news/2014/11/wordpress-4-0-1/
-	NOTE: split this entry up when CVEs assigned
 CVE-2014-9028 [Heap buffer write overflow]
 	- flac <unfixed> (bug #770918)
 	NOTE: Upstream patch https://git.xiph.org/?p=flac.git;a=commit;h=fcf0ba06ae12ccd7c67cee3c8d948df15f946b85
@@ -92,7 +115,6 @@
 	- drupal7 7.32-1+deb8u1 (bug #770469)
 	- drupal6 <not-affected> (Only affects Drupal 7.x)
 	NOTE: https://www.drupal.org/SA-CORE-2014-006
-	- wordpress 4.0.1+dfsg-1 (bug #770425)
 CVE-2014-9018 [on-connect scripts: icecast can leak output to attentive sources]
 	- icecast2 <unfixed> (bug #770222)
 	NOTE: https://trac.xiph.org/ticket/2089