WordPress.org

Make WordPress Core

Opened 6 years ago

Closed 6 years ago

Last modified 6 years ago

#5383 closed defect (bug) (duplicate)

security notification

Reported by: chuckpeters Owned by:
Milestone: Priority: high
Severity: critical Version:
Component: General Keywords:
Focuses: Cc:

Description

http://lwn.net/Articles/259204/ shows wordpress has a security issue and I can't seem to find anything useful about when this might be fixed or if it is being worked on.

You need to do a better job of notifying us of security issues. Things like a section on the website... http://wordpress.org/security is 404 now.

Send out notification on the announcement list of open issues like the one mentioned above and suggest "Workarounds" if the issue isn't fixed.

Change History (7)

comment:1 rob1n6 years ago

Of course it's possible to get the hash and run it against a rainbow pattern (or create a session cookie) -- if you have read-only access.

I suppose a solution would be to stop storing the hash in the cookie, and authenticate a bit differently.

comment:3 santosj6 years ago

Solutions already exist or can exist with a plugin. However, such a plugin has not yet been referenced on WP-Hackers. Travis has stated that he developed a system for his web site that uses sessions to correct this problem.

However, since the solution calls for either using PHP Sessions, PHPass, and/or salting passwords, I don't think it is trival and could cause problems. I can't think of an solution that doesn't involve resetting everyone's password once the change is implemented.

comment:4 JeremyVisser6 years ago

Regarding the 3 comments above, this ticket was about improving the way WP informs the community about security issues, not about the latest security issue in particular.

comment:5 darkdragon6 years ago

Understood, which was why the ticket wasn't closed in the first place. However, the ticket makes references to other bugs that needed to be made available.

comment:6 matt6 years ago

  • Resolution set to duplicate
  • Status changed from new to closed

When appropriate and there is a clear and present danger to our users, we publicize things quite a bit. Thanks for your feedback on this particular issue. Marking as "duplicate" just so it doesn't clog up our issue tracker.

comment:7 Nazgul6 years ago

  • Milestone 2.5 deleted
Note: See TracTickets for help on using tickets.