openSUSE admin

Since it's a static site now, we can't do much in the way of updating the wordpress version. Do you know which api endpoint the scanner uses to figure out what version of wordpress it is? The version number appears in quite a few places. Would it be enough to remove that? https://github.com/search?q=repo%3AopenSUSE%2Flizards%204.7.5&type=code

(a) Do you know which api endpoint the scanner uses to figure out what
version of wordpress it is?
No, sorry we do not know, what vulnerability scanner these Third Party
Risk Rating Agencies are using.

(b) The version number appears in quite a few places. Would it be enough to
remove that?
https://github.com/search?q=repo%3AopenSUSE%2Flizards%204.7.5&type=code
This is a good idea, we can start with removing all the occurrences of
the version number "4.7.5". While this may not guarantee the fix, it should
at least bypass some good number of Vulnerability Scanners.

Regards,
Shiwang on behalf of Cybersecurity Team.

On Mon, May 27, 2024 at 1:49 PM hellcp redmine@opensuse.org wrote:

[openSUSE Tracker]
Issue #160970 has been updated by hellcp.

Since it's a static site now, we can't do much in the way of updating the
wordpress version. Do you know which api endpoint the scanner uses to
figure out what version of wordpress it is? The version number appears in
quite a few places. Would it be enough to remove that?
https://github.com/search?q=repo%3AopenSUSE%2Flizards%204.7.5&type=code

---

tickets #160970: Vulnerable WordPress version of lizards.opensuse.org
https://progress.opensuse.org/issues/160970#change-801626

• Author: cybersecurity@suse.com
• Status: New
• Priority: Normal

* Start date: 2024-05-27¶

Dear Heroes Team,

We have found, The lizards.opensuse.org is being flagged as high risk by
multiple third party security assessment vendor such as bitsight, for
patching cadence.
The reports from these vendor’s are being used by our customer to assess /
judge our security posture, which sometimes is becoming road blocker in new
/ renewal sales deal. Hence it recommended to remediate this issue.

Problem Statment:
lizards.opensuse.org is running vulnerable version (Wordpress 4.7.5) of
Wordpress.

Description:
Before version 4.8.2, WordPress mishandled % characters and additional
placeholder values in $wpdb->prepare, and thus did not properly address the
possibility of plugins and themes enabling SQL injection attacks. This
allows a code injection attack into the database engine that supports
Wordpress.

Remediation / Recommendation:

1. Upgrade the Wordpress to version > 4.8.2 to eliminate this vulnerability.
2. If the website is not being maintained / deprecated, it is recommended to consider it for decommission as soon as possible.
3. Or can we have HTTP redirect (301, moved permanently) on a webserver configured to hold valid certificates for lizard.opensuse.org.
4. Or we can use redirection record for lizard.opensuse.org to planet.opensuse.org which is first configured to hold valid certificates for lizard.opensuse.org.

Best Regards,
Shiwang on behalf of SUSE Cybersecurity Team

--
You have received this notification because you either subscribed to or
are involved in this discussion.
To change your notification preferences, please visit
https://progress.opensuse.org/my/account.

Have a look at this PR I created https://github.com/openSUSE/lizards/pull/6

Hello Jacob,

Thank you for your prompt response, the PR is good.
Please, let me know once it is done.

Best Regards,

• Shiwang

On Mon, May 27, 2024 at 4:31 PM hellcp redmine@opensuse.org wrote:

[openSUSE Tracker]
Issue #160970 has been updated by hellcp.

Have a look at this PR I created
https://github.com/openSUSE/lizards/pull/6

---

tickets #160970: Vulnerable WordPress version of lizards.opensuse.org
https://progress.opensuse.org/issues/160970#change-801734

• Author: cybersecurity@suse.com
• Status: New
• Priority: Normal

* Start date: 2024-05-27¶

Dear Heroes Team,

We have found, The lizards.opensuse.org is being flagged as high risk by
multiple third party security assessment vendor such as bitsight, for
patching cadence.
The reports from these vendor’s are being used by our customer to assess /
judge our security posture, which sometimes is becoming road blocker in new
/ renewal sales deal. Hence it recommended to remediate this issue.

Problem Statment:
lizards.opensuse.org is running vulnerable version (Wordpress 4.7.5) of
Wordpress.

Description:
Before version 4.8.2, WordPress mishandled % characters and additional
placeholder values in $wpdb->prepare, and thus did not properly address the
possibility of plugins and themes enabling SQL injection attacks. This
allows a code injection attack into the database engine that supports
Wordpress.

Remediation / Recommendation:

1. Upgrade the Wordpress to version > 4.8.2 to eliminate this vulnerability.
2. If the website is not being maintained / deprecated, it is recommended to consider it for decommission as soon as possible.
3. Or can we have HTTP redirect (301, moved permanently) on a webserver configured to hold valid certificates for lizard.opensuse.org.
4. Or we can use redirection record for lizard.opensuse.org to planet.opensuse.org which is first configured to hold valid certificates for lizard.opensuse.org.

Best Regards,
Shiwang on behalf of SUSE Cybersecurity Team

--
You have received this notification because you either subscribed to or
are involved in this discussion.
To change your notification preferences, please visit
https://progress.opensuse.org/my/account.