Hi Craig and others
I have investigated this more and these are my conclusions:
1) Wordpress is vulnerable to this problem. It looks like all versions
are vulnerable.
2) Some module explicitly need to call WP_Http_Curl->request(...) for
the vulnerability to be triggered. I'm not sure how easy or c
Hi
Thank you for quick response.
The check I did for wheezy was simply to grep for ghe validation function
and it was missing. Thins is whag I mean with clearly vulnerable. I should
have said clearly not patched.
I have not seen a patch that works for eheezy yet.
I will investigate this more if
On Wed, 7 Jun. 2017, 06:33 Ola Lundqvist, wrote:
> I can see the following comments from you:
> + * Backport patches from 4.7.5 Closes: #862816
> + CVEs to be added once issued
> + - CVE-2017-XXX
> + Insufficient redirect validation in the HTTP class.
>
The changelog now reads:
* CVE-20
Hi Craig
I can see the following comments from you:
+ * Backport patches from 4.7.5 Closes: #862816
+ CVEs to be added once issued
+ - CVE-2017-XXX
+ Insufficient redirect validation in the HTTP class.
+ (may not be vulnerable, no patch found)
The patch is available here:
https://git
