WordPress 3.4.1 is now available for download. WordPress 3.4 has been a very smooth release, and copies are flying off the shelf — 3 million downloads in two weeks! This maintenance release addresses 18 bugs with version 3.4, including:
Fixes an issue where a theme’s page templates were sometimes not detected.
Addresses problems with some category permalink structures.
Better handling for plugins or themes loading JavaScript incorrectly.
Adds early support for uploading images on iOS 6 devices.
Allows for a technique commonly used by plugins to detect a network-wide activation.
Better compatibility with servers running certain versions of PHP (5.2.4, 5.4) or with uncommon setups (safe mode, open_basedir), which had caused warnings or in some cases prevented emails from being sent.
Version 3.4.1 also fixes a few security issues and contains some security hardening. The vulnerabilities included potential information disclosure as well as an bug that affects multisite installs with untrusted users. These issues were discovered and fixed by the WordPress security team.
Download 3.4.1 now or visit Dashboard → Updates in your site admin to update now.
Green was a bit green
We have hardened it up some
Update WordPress now
The list_directory function in Lib/SimpleHTTPServer.py in SimpleHTTPServer in Python before 2.5.6c1, 2.6.x before 2.6.7 rc2, and 2.7.x before 2.7.2 does not place a charset parameter in the Content-Type HTTP header, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer 7 via UTF-7 encoding. (CVSS:2.6) (Last Update:2013-05-14)
The ROSE protocol implementation in the Linux kernel before 2.6.39 does not verify that certain data-length values are consistent with the amount of data sent, which might allow remote attackers to obtain sensitive information from kernel memory or cause a denial of service (out-of-bounds read) via crafted data to a ROSE socket.
Rene Engelhard uploaded new packages for libreoffice which fixed
the following security problem:
CVE-2012-1149
Integer overflows in PNG image handling
For the squeeze-backports distribution the problems have been fixed in
version 1:3.4.6-2~bpo60+2.
Micah Anderson uploaded new packages for strongswan which fixed the
following security problems:
CVE-2012-2388
An authentication bypass issue was discovered by the Codenomicon CROSS
project in strongSwan, an IPsec-based VPN solution. When using
RSA-based setups, a missing check in the gmp plugin could allow an
attacker presenting a forged signature to successfully authenticate
against a strongSwan responder.
For the squeeze-backports distribution the problems have been fixed in
version 4.5.2-1.4~bpo60+1
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dominic Hargreaves uploaded new packages for request-tracker4 which fixed
the following security problems:
CVE-2011-2082
The vulnerable-passwords scripts introduced for CVE-2011-0009
failed to correct the password hashes of disabled users.
CVE-2011-2083
Several cross-site scripting issues have been discovered.
CVE-2011-2084
Password hashes could be disclosed by privileged users.
CVE-2011-2085
Several cross-site request forgery vulnerabilities have been
found. If this update breaks your setup, you can restore the old
behaviour by setting $RestrictReferrer to 0.
CVE-2011-4458
The code to support variable envelope return paths allowed the
execution of arbitrary code.
CVE-2011-4459
Disabled groups were not fully accounted as disabled.
CVE-2011-4460
SQL injection vulnerability, only exploitable by privileged users.
For the squeeze-backports distribution the problems have been fixed in
version 4.0.5-3~bpo60+1.
-----BEG
Vulnerability: Denial of Service, Access bypass, Unvalidated form redirect
Description
Denial of Service
CVE: CVE-2012-1588
Drupal core’s text filtering system provides several features including removing inappropriate HTML tags and automatically linking content that appears to be a link. A pattern in Drupal’s text matching was found to be inefficient with certain specially crafted strings. This vulnerability is mitigated by the fact that users must have the ability to post content sent to the filter system such as a role with the “post comments” or “Forum topic: Create new content” permission.
Unvalidated form redirect
CVE: CVE-2012-1589
Drupal core’s Form API allows users to set a destination, but failed to validate that the URL was internal to the site. This weakness could be abused to redirect the login to a remote site with a malicious script that harvests the login credentials and redirects to the live site. This vulnerability is mitigated only by the end user’s ability to recognize a URL with malicious query parameters to avoid the social engineering required to exploit the problem.
Access bypass – forum listing
CVE: CVE-2012-1590
Drupal core’s forum lists fail to check user access to nodes when displaying them in the forum overview page. If an unpublished node was the most recently updated in a forum then users who should not have access to unpublished forum posts were still be able to see meta-data about the forum post such as the post title.
Access bypass – private images
CVE: CVE-2012-1591
Drupal core provides the ability to have private files, including images, and Image Styles which create derivative images from an original image that may differ, for example, in size or saturation. Drupal core failed to properly terminate the page request for cached image styles allowing users to access image derivatives for images they should not be able to view. Furthermore, Drupal didn’t set the right headers to prevent image styles from being cached in the browser.
Access bypass – content administration
CVE: CVE-2012-2153
Drupal core provides the ability to list nodes on a site at admin/content. Drupal core failed to confirm a user viewing that page had access to each node in the list. This vulnerability only concerns sites running a contributed node access module and is mitigated by the fact that users must have a role with the “Access the content overview page” permission. Unpublished nodes were not displayed to users who only had the “Access the content overview page” permission.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi.
I uploaded new packages for nginx which fixed the following security
problems:
CVE-2012-2089 - nginx -- arbitrary code execution in mp4
pseudo-streaming module
A flaw was reported in the nginx standard mp4 pseudo-streaming module. A
specially-crafted mp4 file could allow for the overwriting of memory
locations in a worker process if ngx_http_mp4_module were used. This
could potentially result in arbitrary code execution with the privileges
of the unprivileged nginx user.
This has been corrected in upstream 1.0.15 and 1.1.9 versions, and only
affected versions newer than 1.1.3 and 1.0.7 when built with the
ngx_http_mp4_module and had the "mp4" directive set in the configuration
file.
For the squeeze-backports distribution the problems have been fixed in
version
1.1.19-1~bpo60+1
For wheezy (testing) and sid (unstable) this was fixed in version
1.1.19-1
Squeeze (stable) is not vulnerable to this security issue.
Thanks.
- --
Cyril "Davromani