Package: wordpress Severity: important Tags: security, patch Hi,
the following CVE (Common Vulnerabilities & Exposures) id was published for wordpress. CVE-2008-5278[0]: Cross-site scripting (XSS) vulnerability in the self_link function in in the RSS Feed Generator (wp-includes/feed.php) for WordPress before 2.6.5 allows remote attackers to inject arbitrary web script or HTML via the Host header (HTTP_HOST variable). The upstream patch is here[1], look at the diff in wp-includes/feed.php. (Although I guess it would have been easier to use htmlspecialchars(), instead of writing an own function :) ). If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. Cheers Steffen For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5278 http://security-tracker.debian.net/tracker/CVE-2008-5278 [1] http://trac.wordpress.org/changeset?old_path=tags%2F2.6.3&old=&new_path=tags%2F2.6.5&new=#file2 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
