PublicDate: 2008-08-27 15:21:00 UTC
Candidate: CVE-2008-3747
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3747
Description:
 The (1) get_edit_post_link and (2) get_edit_comment_link functions in
 wp-includes/link-template.php in WordPress before 2.6.1 do not force SSL
 communication in the intended situations, which might allow remote
 attackers to gain administrative access by sniffing the network for a
 cookie.
Ubuntu-Description:
Notes:
 jdstrand> per upstream via stefanlsd, SSL functionality doesn't exist
   before 2.6.0. However, Debian is trying to backport the SSL functionality,
   believing that lack of SSL is an extension of this CVE. stefanlsd and
   upstream feel that this approach is dangerous and messy. It has been
   marked as Won't Fix in LP, but can be reopened if the Debian patch is
   viable.
 jdstrand> Debian patch is included in 2.5.1-6 (broken) and 2.5.1-7
Bugs:
 https://bugs.edge.launchpad.net/ubuntu/+source/wordpress/+bug/269301
 http://bugs.debian.org/497216
 http://bugs.debian.org/497524
Priority: low
Discovered-by:
Assigned-to:
CVSS: 

Patches_wordpress:
 other: http://trac.wordpress.org/ticket/7359
upstream_wordpress: released (2.6.1)
dapper_wordpress: deferred
feisty_wordpress: deferred
gutsy_wordpress: deferred
hardy_wordpress: deferred
intrepid_wordpress: deferred
jaunty_wordpress: not-affected (2.7.1-2ubuntu1)
karmic_wordpress: not-affected (2.7.1-2ubuntu1)
lucid_wordpress: not-affected (2.7.1-2ubuntu1)
maverick_wordpress: not-affected (2.7.1-2ubuntu1)
natty_wordpress: not-affected (2.7.1-2ubuntu1)
oneiric_wordpress: not-affected (2.7.1-2ubuntu1)
precise_wordpress: not-affected (2.7.1-2ubuntu1)
quantal_wordpress: not-affected (2.7.1-2ubuntu1)
raring_wordpress: not-affected (2.7.1-2ubuntu1)
devel_wordpress: not-affected (2.7.1-2ubuntu1)