Automatically updated on Thu, 20 May 2021 04:48:30 GMT

Author: prisis

_site/_headers

@@ -1,2 +1,2 @@
 /*
-  Last-Modified: Wed, 19 May 2021 04:47:59 GMT
+  Last-Modified: Thu, 20 May 2021 04:48:30 GMT

security-advisories-sha

@@ -1 +1 @@
-124da73d3a13e14334f3a775cb9c6e404df075c6209
+125f82a3901599b13647e0b049a0b823aa37ad96259

security-advisories.json

@@ -26166,7 +26166,7 @@
                     "time": 1620806400,
                     "versions": [
                         ">=3.4.0",
-                        "<3.4.48"
+                        "<3.4.49"
                     ]
                 },
                 "4.0.x": {
@@ -26201,7 +26201,7 @@
                     "time": 1620806400,
                     "versions": [
                         ">=4.4.0",
-                        "<4.4.23"
+                        "<4.4.24"
                     ]
                 }
             },
@@ -26583,7 +26583,7 @@
                     "time": 1620806400,
                     "versions": [
                         ">=3.4.0",
-                        "<3.4.48"
+                        "<3.4.49"
                     ]
                 },
                 "4.0.x": {
@@ -26618,7 +26618,7 @@
                     "time": 1620806400,
                     "versions": [
                         ">=4.4.0",
-                        "<4.4.23"
+                        "<4.4.24"
                     ]
                 },
                 "5.0.x": {
@@ -26639,7 +26639,7 @@
                     "time": 1620806400,
                     "versions": [
                         ">=5.2.0",
-                        "<5.2.8"
+                        "<5.2.9"
                     ]
                 }
             },
@@ -30273,7 +30273,7 @@
                     "time": 1620806400,
                     "versions": [
                         ">=3.4.0",
-                        "<3.4.48"
+                        "<3.4.49"
                     ]
                 },
                 "4.0.x": {
@@ -30308,7 +30308,7 @@
                     "time": 1620806400,
                     "versions": [
                         ">=4.4.0",
-                        "<4.4.23"
+                        "<4.4.24"
                     ]
                 },
                 "5.0.x": {
@@ -30329,7 +30329,7 @@
                     "time": 1620806400,
                     "versions": [
                         ">=5.2.0",
-                        "<5.2.8"
+                        "<5.2.9"
                     ]
                 }
             },
@@ -35998,6 +35998,22 @@
             "reference": "composer://willdurand/js-translation-bundle"
         }
     },
+    "wp-cli/wp-cli": {
+        "CVE-2021-29504": {
+            "title": "### Impact\nAn improper error handling in HTTPS requests management in WP-CLI version 0.12.0 and later allows remote attackers able to intercept the communication to remotely disable the certificate verification on WP-CLI side, gaining full control over the communication content, including the ability to impersonate update servers and push malicious updates towards WordPress instances controlled by the vulnerable WP-CLI agent, or push malicious updates toward WP-CLI itself.\n\n### Patches\nThe vulnerability stems from the fact that the default behavior of `WP_CLI\\Utils\\http_request()` when encountering a TLS handshake error is to disable certificate validation and retry the same request.\n\nThe default behavior has been changed with version 2.5.0 of WP-CLI and the `wp-cli/wp-cli` framework (via https://github.com/wp-cli/wp-cli/pull/5523) so that the `WP_CLI\\Utils\\http_request()` method accepts an `$insecure` option that is `false` by default and consequently that a TLS handshake failure is a hard error by default. This new default is a breaking change and ripples through to all consumers of `WP_CLI\\Utils\\http_request()`, including those in separate WP-CLI bundled or third-party packages.\n\nhttps://github.com/wp-cli/wp-cli/pull/5523 has also added an `--insecure` flag to the `cli update` command to counter this breaking change.\n\nSubsequent PRs on the command repositories have added an `--insecure` flag to the appropriate commands on the following repositories to counter the breaking change:\n\n* https://github.com/wp-cli/config-command/pull/128\n* https://github.com/wp-cli/core-command/pull/186\n* https://github.com/wp-cli/extension-command/pull/287\n* https://github.com/wp-cli/checksum-command/pull/86\n* https://github.com/wp-cli/package-command/pull/138\n\n### Workarounds\nThere is no direct workaround for the default insecure behavior of `wp-cli/wp-cli` versions before 2.5.0.\n\nThe workaround for dealing with the breaking change in the commands directly affected by the new secure default behavior is to add the `--insecure` flag to manually opt-in to the previous insecure behavior.\n\n### References\n* [CWE: Improper Certificate Validation](https://cwe.mitre.org/data/definitions/295.html)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Join the `#cli` channel in the [WordPress.org Slack](https://make.wordpress.org/chat/) to ask questions or provide feedback.\n",
+            "link": "https://github.com/advisories/GHSA-rwgm-f83r-v3qj",
+            "cve": "CVE-2021-29504",
+            "branches": {
+                "2.5.x": {
+                    "time": 1621465391,
+                    "versions": [
+                        "< 2.5.0"
+                    ]
+                }
+            },
+            "reference": "composer://wp-cli/wp-cli"
+        }
+    },
     "yii2mod/yii2-cms": {
         "CVE-2019-16130": {
             "title": "YII2-CMS v1.0 has XSS in protected\\core\\modules\\home\\models\\Contact.php via a name field to /contact.html.",