--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2020-bbedd29391
2020-06-23 01:12:06.465535
--------------------------------------------------------------------------------
Name : wordpress
Product : Fedora 31
Version : 5.4.2
Release : 1.fc31
URL :
http://www.wordpress.org
Summary : Blog tool and publishing platform
Description :
Wordpress is an online publishing / weblog package that makes it very easy,
almost trivial, to get information out to people on the web.
Important information in /usr/share/doc/wordpress/README.fedora
--------------------------------------------------------------------------------
Update Information:
**WordPress 5.4.2 Security and Maintenance Release** This security and
maintenance release features 23 fixes and enhancements. Plus, it adds a number
of security fixes���see the list below. These bugs affect WordPress versions
5.4.1 and earlier; version 5.4.2 fixes them, so you���ll want to upgrade.
**Security Updates** WordPress versions 5.4 and earlier are affected by the
following bugs, which are fixed in version 5.4.2. If you haven���t yet updated to
5.4, there are also updated versions of 5.3 and earlier that fix the security
issues. * Props to Sam Thomas (jazzy2fives) for finding an XSS issue where
authenticated users with low privileges are able to add JavaScript to posts in
the block editor. * Props to Luigi ��� (gubello.me) for discovering an XSS
issue where authenticated users with upload permissions are able to add
JavaScript to media files. * Props to Ben Bidner of the WordPress Security
Team for finding an open redirect issue in wp_validate_redirect(). * Props to
Nrimo Ing Pandum for finding an authenticated XSS issue via theme uploads. *
Props to Simon Scannell of RIPS Technologies for finding an issue where set-
screen-option can be misused by plugins leading to privilege escalation. *
Props to Carolina Nymark for discovering an issue where comments from password-
protected posts and pages could be displayed under certain conditions.
--------------------------------------------------------------------------------
ChangeLog:
* Thu Jun 11 2020 Remi Collet <remi(a)remirepo.net> - 5.4.2-1
- WordPress 5.4.2 Security and Maintenance Release
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1848680 - CVE-2020-4046 wordpress: authenticated XSS through embed block
https://bugzilla.redhat.com/show_bug.cgi?id=1848680
[ 2 ] Bug #1848684 - CVE-2020-4047 wordpress: authenticated XSS via media attachment
page
https://bugzilla.redhat.com/show_bug.cgi?id=1848684
[ 3 ] Bug #1848689 - CVE-2020-4048 wordpress: open redirect in wp_validate_redirect
function
https://bugzilla.redhat.com/show_bug.cgi?id=1848689
[ 4 ] Bug #1848692 - CVE-2020-4049 wordpress: authenticated self-XSS via theme uploads
https://bugzilla.redhat.com/show_bug.cgi?id=1848692
[ 5 ] Bug #1848697 - CVE-2020-4050 wordpress: set-screen-option filter misuse by plugins
leads to privilege escalation
https://bugzilla.redhat.com/show_bug.cgi?id=1848697
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2020-bbedd29391' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------