Last Updated: 2008-09-09 18:18:55 UTC
by Swa Frantzen (Version: 1)
Roseman pointed out that the popular blog software wordpress is in need of an upgrade.
Wordpress 2.6.2 fixes an interesting combination of bugs:
- A security bug allowing a user to reset another user's password to a random value (nasty, DoS, etc. but not the end of the world).
- A vulnerability in the mt_rand() function of PHP allowing the attacker to predict the random password that will be chosen on a password reset.
Sefan Esser's latest version of Suhosin does protect against this.
Lack of randomness will come back over and over till we get it right (16bit IDs in DNS, the Debian debacle with the lack of entropy in their implementation OpenSSL, random session IDs, ... )
Equally important remains the proper follow up of tools we use. Are you sure you'll note any tool you have on your machine(s) or servers will let you know it's in need of upgrading ? Are you subscribed to their means of letting you know (email, blog, ...).
Swa Frantzen -- Section 66