[SECURITY] Fedora 33 Update: wordpress-5.5.3-1.fc33

-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2020-a764b11b52 2020-11-11 01:17:49.473225 -------------------------------------------------------------------------------- Name : wordpress Product : Fedora 33 Version : 5.5.3 Release : 1.fc33 URL : http://www.wordpress.org Summary : Blog tool and publishing platform Description : Wordpress is an online publishing / weblog package that makes it very easy, almost trivial, to get information out to people on the web. Important information in /usr/share/doc/wordpress/README.fedora -------------------------------------------------------------------------------- Update Information: **WordPress 5.5.3 Maintenance Release** This maintenance release fixes an issue introduced in WordPress 5.5.2 which makes it impossible to install WordPress on a brand new website that does not have a database connection configured. ---- **WordPress 5.5.2 Security and Maintenance Release** **Security Updates** * Props to Alex Concha of the WordPress Security Team for their work in hardening deserialization requests. * Props to David Binovec on a fix to disable spam embeds from disabled sites on a multisite network. * Thanks to Marc Montas from Sucuri for reporting an issue that could lead to XSS from global variables. * Thanks to Justin Tran who reported an issue surrounding privilege escalation in XML-RPC. He also found and disclosed an issue around privilege escalation around post commenting via XML-RPC. * Props to Omar Ganiev who reported a method where a DoS attack could lead to RCE. * Thanks to Karim El Ouerghemmi from RIPS who disclosed a method to store XSS in post slugs. * Thanks to Slavco for reporting, and confirmation from Karim El Ouerghemmi, a method to bypass protected meta that could lead to arbitrary file deletion. * Thanks to Erwan LR from WPScan who responsibly disclosed a method that could lead to CSRF. * And a special thanks to @zieladam who was integral in many of the releases and patches during this release. -------------------------------------------------------------------------------- ChangeLog: * Sat Oct 31 2020 Remi Collet <remi(a)remirepo.net&gt; - 5.5.3-1 - WordPress 5.5.3 Maintenance Release * Fri Oct 30 2020 Remi Collet <remi(a)remirepo.net&gt; - 5.5.2-1 - WordPress 5.5.2 Security and Maintenance Release * Tue Oct 20 2020 Remi Collet <remi(a)remirepo.net&gt; - 5.5.1-2 - Change FS_METHOD default to 'direct' to allow enabling FILE_MODS #1889644 -------------------------------------------------------------------------------- References: [ 1 ] Bug #1894947 - CVE-2020-28032 wordpress: hardening deserialization requests https://bugzilla.redhat.com/show_bug.cgi?id=1894947 [ 2 ] Bug #1894954 - CVE-2020-28033 wordpress: disable spam embeds from disabled sites on a multisite network https://bugzilla.redhat.com/show_bug.cgi?id=1894954 [ 3 ] Bug #1894957 - CVE-2020-28035 wordpress: XML-RPC privilege escalation https://bugzilla.redhat.com/show_bug.cgi?id=1894957 [ 4 ] Bug #1894962 - CVE-2020-28034 wordpress: XSS via global variables https://bugzilla.redhat.com/show_bug.cgi?id=1894962 [ 5 ] Bug #1894966 - CVE-2020-28036 wordpress: privilege escalation by using XML-RPC to comment on a post https://bugzilla.redhat.com/show_bug.cgi?id=1894966 [ 6 ] Bug #1894969 - CVE-2020-28037 wordpress: DoS attack could lead to RCE https://bugzilla.redhat.com/show_bug.cgi?id=1894969 [ 7 ] Bug #1894974 - CVE-2020-28038 wordpress: stored XSS in post slugs https://bugzilla.redhat.com/show_bug.cgi?id=1894974 [ 8 ] Bug #1894982 - CVE-2020-28039 wordpress: protected meta that could lead to arbitrary file deletion https://bugzilla.redhat.com/show_bug.cgi?id=1894982 [ 9 ] Bug #1894995 - CVE-2020-28040 wordpress: CSRF attacks that change a theme's background image https://bugzilla.redhat.com/show_bug.cgi?id=1894995 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2020-a764b11b52' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys --------------------------------------------------------------------------------