> Package: wordpress > Severity: important > Tags: security, patch > > Hi, > > the following CVE (Common Vulnerabilities & Exposures) id was > published for wordpress. > > CVE-2008-5278[0]: > Cross-site scripting (XSS) vulnerability in the self_link function in > in the RSS Feed Generator (wp-includes/feed.php) for WordPress before > 2.6.5 allows remote attackers to inject arbitrary web script or HTML > via the Host header (HTTP_HOST variable). > > The upstream patch is here[1], look at the diff in wp-includes/feed.php. > (Although I guess it would have been easier to use htmlspecialchars(), > instead of writing an own function :) ). > > If you fix the vulnerability please also make sure to include the > CVE id in your changelog entry.
First of all thank you for reporting this. Upstream's solution it's not so bad in my opinion. Moreover I think using official patch should protect us from future bugs. I'll have the new package ready for tomorrow. Thank you again. Cheers. Andrea De Iacovo
signature.asc
Description: Questa รจ una parte del messaggio firmata digitalmente
