[SECURITY] Fedora 31 Update: wordpress-5.4.2-1.fc31

-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2020-bbedd29391 2020-06-23 01:12:06.465535 -------------------------------------------------------------------------------- Name : wordpress Product : Fedora 31 Version : 5.4.2 Release : 1.fc31 URL : http://www.wordpress.org Summary : Blog tool and publishing platform Description : Wordpress is an online publishing / weblog package that makes it very easy, almost trivial, to get information out to people on the web. Important information in /usr/share/doc/wordpress/README.fedora -------------------------------------------------------------------------------- Update Information: **WordPress 5.4.2 Security and Maintenance Release** This security and maintenance release features 23 fixes and enhancements. Plus, it adds a number of security fixes���see the list below. These bugs affect WordPress versions 5.4.1 and earlier; version 5.4.2 fixes them, so you���ll want to upgrade. **Security Updates** WordPress versions 5.4 and earlier are affected by the following bugs, which are fixed in version 5.4.2. If you haven���t yet updated to 5.4, there are also updated versions of 5.3 and earlier that fix the security issues. * Props to Sam Thomas (jazzy2fives) for finding an XSS issue where authenticated users with low privileges are able to add JavaScript to posts in the block editor. * Props to Luigi ��� (gubello.me) for discovering an XSS issue where authenticated users with upload permissions are able to add JavaScript to media files. * Props to Ben Bidner of the WordPress Security Team for finding an open redirect issue in wp_validate_redirect(). * Props to Nrimo Ing Pandum for finding an authenticated XSS issue via theme uploads. * Props to Simon Scannell of RIPS Technologies for finding an issue where set- screen-option can be misused by plugins leading to privilege escalation. * Props to Carolina Nymark for discovering an issue where comments from password- protected posts and pages could be displayed under certain conditions. -------------------------------------------------------------------------------- ChangeLog: * Thu Jun 11 2020 Remi Collet <remi(a)remirepo.net&gt; - 5.4.2-1 - WordPress 5.4.2 Security and Maintenance Release -------------------------------------------------------------------------------- References: [ 1 ] Bug #1848680 - CVE-2020-4046 wordpress: authenticated XSS through embed block https://bugzilla.redhat.com/show_bug.cgi?id=1848680 [ 2 ] Bug #1848684 - CVE-2020-4047 wordpress: authenticated XSS via media attachment page https://bugzilla.redhat.com/show_bug.cgi?id=1848684 [ 3 ] Bug #1848689 - CVE-2020-4048 wordpress: open redirect in wp_validate_redirect function https://bugzilla.redhat.com/show_bug.cgi?id=1848689 [ 4 ] Bug #1848692 - CVE-2020-4049 wordpress: authenticated self-XSS via theme uploads https://bugzilla.redhat.com/show_bug.cgi?id=1848692 [ 5 ] Bug #1848697 - CVE-2020-4050 wordpress: set-screen-option filter misuse by plugins leads to privilege escalation https://bugzilla.redhat.com/show_bug.cgi?id=1848697 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2020-bbedd29391' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys --------------------------------------------------------------------------------