Bug 1022445 (CVE-2017-5611)

Summary: VUL-1: CVE-2017-5611: wordpress: SQLi when passing unsafe data
Product: [openSUSE] openSUSE.org Reporter: Mikhail Kasimov <mikhail.kasimov>
Component: 3rd party softwareAssignee: Eric Schirra <ecsos>
Status: RESOLVED FIXED QA Contact: E-mail List <opensuse-communityscreening>
Severity: Normal    
Priority: P4 - Low CC: chris, ecsos, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Mikhail Kasimov 2017-01-28 21:23:48 UTC
Ref: http://seclists.org/oss-sec/2017/q1/217
============================================
WP_Query is vulnerable to a SQL injection (SQLi) when passing unsafe data.
WordPress core is not directly vulnerable to this issue, but we've added
hardening to prevent plugins and themes from accidentally causing a
vulnerability. Reported by Mo Jangda (batmoo).

https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb
============================================

Assigned: CVE-2017-5611

https://software.opensuse.org/package/wordpress

4.6.1 version for TW|42.(1|2) in server:php:applications repo.
Comment 1 Swamp Workflow Management 2017-01-28 23:00:40 UTC
bugbot adjusting priority
Comment 2 Andreas Stieger 2017-01-29 08:12:42 UTC
the SUSE security team does not cover packages not currently in the distribution. Not treating as an incident, assign/cc community maintainers.
Comment 3 Eric Schirra 2017-02-04 09:35:26 UTC
update packages in server:php:applications to version 7.7.2