Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

wordpress: 5.4.1 -> 5.4.2 #91411

Merged
merged 2 commits into from Jun 26, 2020
Merged

wordpress: 5.4.1 -> 5.4.2 #91411

merged 2 commits into from Jun 26, 2020

Conversation

mweinelt
Copy link
Member

@mweinelt mweinelt commented Jun 24, 2020
edited

Motivation for this change

In affected versions of WordPress, when uploading themes, the name of the theme folder can be crafted in a way that could lead to JavaScript execution in /wp-admin on the themes page. This does require an admin to upload the theme, and is low severity self-XSS. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).

https://nvd.nist.gov/vuln/detail/CVE-2020-4049

Fixes: CVE-2020-4049
Closes: #91305

Things done

Version bump and set up passthru.tests.

  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@ofborg ofborg bot requested a review from basvandijk June 24, 2020 14:58
@mweinelt
Copy link
Member Author

Sorry, the issue number is wrong. I'll fix that in a second.

danieldk
danieldk approved these changes Jun 26, 2020
View reviewed changes
Copy link
Contributor

@danieldk danieldk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks!

@danieldk danieldk merged commit 7287a36 into NixOS:master Jun 26, 2020
@mweinelt mweinelt deleted the wordpress branch June 26, 2020 15:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@danieldk danieldk danieldk approved these changes

@ajs124 ajs124 ajs124 approved these changes

@basvandijk basvandijk Awaiting requested review from basvandijk

Assignees
No one assigned
Labels
1.severity: security 10.rebuild-darwin: 1-10 10.rebuild-darwin: 1 10.rebuild-linux: 1-10
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Vulnerability roundup 86: wordpress-5.4.1: 1 advisory [2.4]
3 participants
@mweinelt @danieldk @ajs124