WordPress 3.5.1 Maintenance and Security Release

WordPress 3.5.1 is now available. Version 3.5.1 is the first maintenance release of 3.5, fixing 37 bugs. It is also a security release for all previous WordPress versions. For a full list of changes, consult the list of tickets and the changelog, which include:

  • Editor: Prevent certain HTML elements from being unexpectedly removed or modified in rare cases.
  • Media: Fix a collection of minor workflow and compatibility issues in the new media manager.
  • Networks: Suggest proper rewrite rules when creating a new network.
  • Prevent scheduled posts from being stripped of certain HTML, such as video embeds, when they are published.
  • Work around some misconfigurations that may have caused some JavaScript in the WordPress admin area to fail.
  • Suppress some warnings that could occur when a plugin misused the database or user APIs.

Additionally, a bug affecting Windows servers running IIS can prevent updating from 3.5 to 3.5.1. If you receive the error “Destination directory for file streaming does not exist or is not writable,” you will need to follow the steps outlined on the Codex.

WordPress 3.5.1 also addresses the following security issues:

  • A server-side request forgery vulnerability and remote port scanning using pingbacks. This vulnerability, which could potentially be used to expose information and compromise a site, affects all previous WordPress versions. This was fixed by the WordPress security team. We’d like to thank security researchers Gennady Kovshenin and Ryan Dewhurst for reviewing our work.
  • Two instances of cross-site scripting via shortcodes and post content. These issues were discovered by Jon Cave of the WordPress security team.
  • A cross-site scripting vulnerability in the external library Plupload. Thanks to the Moxiecode team for working with us on this, and for releasing Plupload 1.5.5 to address this issue.

Download 3.5.1 or visit Dashboard → Updates in your site admin to update now.

CVE-2012-6096

Multiple stack-based buffer overflows in the get_history function in history.cgi in Nagios Core before 3.4.4, and Icinga 1.6.x before 1.6.2, 1.7.x before 1.7.4, and 1.8.x before 1.8.4, might allow remote attackers to execute arbitrary code via a long (1) host_name variable (host parameter) or (2) svc_description variable. (CVSS:7.5) (Last Update:2013-06-04)

SA-CORE-2013-001 – Drupal core – Multiple vulnerabilities

  • Advisory ID: DRUPAL-SA-CORE-2013-001
  • Project: Drupal core
  • Version: 6.x, 7.x
  • Date: 2013-January-16
  • Security risk: Highly critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting, Access bypass

Description

Multiple vulnerabilities were fixed in the supported Drupal core versions 6 and 7.

Cross-site scripting (Various core and contributed modules – Drupal 6 and 7)

A reflected cross-site scripting vulnerability (XSS) was identified in certain Drupal JavaScript functions that pass unexpected user input into jQuery causing it to insert HTML into the page when the intended behavior is to select DOM elements. Multiple core and contributed modules are affected by this issue.

jQuery versions 1.6.3 and higher provide protection against common forms of this problem; thus, the vulnerability is mitigated if your site has upgraded to a recent version of jQuery. However, the versions of jQuery that are shipped with Drupal 6 and Drupal 7 core do not contain this protection.

Although the fix added to Drupal as part of this security release prevents the most common forms of this issue in the same way as newer versions of jQuery do, developers should be aware that passing untrusted user input directly to jQuery functions such as jQuery() and $() is unsafe and should be avoided.

CVE: CVE-2013-0244 (a CVE was also separately issued for jQuery)

Access bypass (Book module printer friendly version – Drupal 6 and 7)

A vulnerability was identified that exposes the title or, in some cases, the content of nodes that the user should not have access to.

This vulnerability is mitigated by the fact that the bypass is only accessible to users who already have the ‘access printer-friendly version’ permission (which is not granted to Anonymous or Authenticated users by default) and it only affects nodes that are part of a book outline.

CVE: CVE-2013-0245

Access bypass (Image module – Drupal 7)

Drupal core provides the ability to have private files, including images. A vulnerability was identified in which derivative images (which Drupal automatically creates from these images based on “image styles” and which may differ, for example, in size or saturation) did not always receive the same protection. Under some circumstances, this would allow users to access image derivatives for images they should not be able to view.

This vulnerability is mitigated by the fact that it only affects sites which use the Image module and which store images in a private file system.

CVE: CVE-2013-0246

CVE identifier(s) issued

  • CVE-2013-0244
  • CVE-2013-0245
  • CVE-2013-0246

Versions affected

  • Drupal core 6.x versions prior to 6.28.
  • Drupal core 7.x versions prior to 7.19.

Solution

Install the latest version:

Also see the Drupal core project page.

Reported by

Fixed by

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Drupal version: 

[BSA-079] Security Update for icinga

Jan Wagner uploaded new packages for icinga which fixed the following
security problems:

CVE-2012-6096
  CGI buffer overflows

  https://security-tracker.debian.org/tracker/CVE-2012-6096

For the squeeze-backports distribution the problems have been fixed in
version 1.7.1-5~bpo60+1 of the icinga package.

For the testing distribution (wheezy) these problems will be fixed soon.

For the unstable distribution (sid), these problems have been fixed in
version 1.7.1-5 of the icinga package.

[BSA-078] Security Update for freetype

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

I uploaded new packages for freetype which fixed the
following security problems:

CVE-2012-5668: NULL Pointer Dereference in bdf_free_font.
CVE-2012-5669: Out-of-bounds read in _bdf_parse_glyphs.
CVE-2012-5670: Out-of-bounds write in _bdf_parse_glyphs.

For the squeeze-backports distribution the problems have been fixed in
version 2.4.9-1.1~bpo60+1.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCgAGBQJQ7NNzAAoJEDEWul6f+mmjyIYQAKyNZKj2qYFIudH3lAWpOhhb
qrY5+oij1HBGmmEeoymgK0waceXF8QfvuqP+3+P+5wsebbpl5Yh4zPFUlK4dvT9u
1/kWJMoqCN3IKh6r6HnsqP7hvLpZ+DpkX+x0t9r82XmIxauwp73mekP/vC2ueSZ/
Jn6jwXet+oy83YJ7fSmmS6uT2DZpeHgdN9S6b6/HyZsAdq3l6RetGbJMikA9P2Mw
3G9dAmsLJ4M060MCe4vJ7MAJHmx8GTbz/1FQn1DBHW/vry47SaiHcHcqHTAGaZFy
UQo9Duhe+vGnWrJCHlmtNWeijZDEocNSStiraTP+2JgCq1hCs4KJ/g/WEnT3CKYX
n7J1waaL2p8WhgvzXJpbbKQ9hppaM1UZAXHQ3oggx+DsvnLzN17JeKz7m4iT+078
8xwzueiQYCYuO2gtl6pEZ6G55dBuvhVhSfau4vR+cTD3qXguyr4gf/va40AXRvPH
xDiP1tkmA5j11+Y1urCpN634fkHruWhipL