WordPress 3.9.2 Security Release fixes XML-RPC DoS

Reading Time: 1 Minute
It's only fair to share...
Share on Facebook2Tweet about this on TwitterShare on LinkedInShare on Google+

WordPress 3.9.2 is now available as a security release for all previous versions. We strongly encourage you to update your sites immediately. This release fixes a possible denial of service issue in PHP’s XML processing, reported by Nir Goldshlager of the Salesforce.com Product Security Team. It was fixed by Michael Adams and Andrew Nacin of the WordPress security team and David Rothstein of the Drupal security team. This is the first time our two projects have coordinated on joint security releases.

Advertisement:

WordPress 3.9.2 also contains other security changes:

  • Fixes a possible but unlikely code execution when processing widgets (WordPress is not affected by default), discovered by Alex Concha of the WordPress security team.
  • Prevents information disclosure via XML entity attacks in the external GetID3 library, reported by Ivan Novikov of ONSec.
  • Adds protections against brute attacks against CSRF tokens, reported by David Tomaschik of the Google Security Team.
  • Contains some additional security hardening, like preventing cross-site scripting that could be triggered only by administrators.

Read more at WordPress.org

WordPress and Drupal Denial Of Service Vulnerability Full Disclosure #

More technical, full disclosure, information on the XML-RPC vulnerability is available at Break Security.

It's only fair to share...
Share on Facebook2Tweet about this on TwitterShare on LinkedInShare on Google+

Advertisement:

Related:   Open DNS Resolver Project

One Reply to “WordPress 3.9.2 Security Release fixes XML-RPC DoS”

Hi! Join the discussion, leave a reply!