[SECURITY] [DLA 568-1] wordpress security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 568-1] wordpress security update
From: Markus Koschany <apo@debian.org>
Date: Fri, 29 Jul 2016 18:23:23 +0200
Message-id: <[🔎] d0402052-3e87-39dd-38ff-e2908b600472@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : wordpress
Version        : 3.6.1+dfsg-1~deb7u11
CVE ID         : CVE-2016-5387 CVE-2016-5832 CVE-2016-5834
		 CVE-2016-5835 CVE-2016-5838 CVE-2016-5839
Debian Bug     : 828225


Several vulnerabilities were discovered in wordpress, a web blogging
tool. The Common Vulnerabilities and Exposures project identifies the
following issues.

CVE-2016-5387
    WordPress allows remote attackers to bypass intended
    access restrictions and remove a category attribute from a post via
    unspecified vectors.

CVE-2016-5832
    The customizer in WordPress allows remote attackers to
    bypass intended redirection restrictions via unspecified vectors.

CVE-2016-5834
    Cross-site scripting (XSS) vulnerability in the
    wp_get_attachment_link function in wp-includes/post-
    template.php in WordPress allows remote
    attackers to inject arbitrary web script or HTML via a crafted
    attachment name.

CVE-2016-5835
    WordPress allows remote attackers to obtain sensitive
    revision-history information by leveraging the ability to read a
    post related to wp-admin/includes/ajax-actions.php and
    wp-admin/revision.php.

CVE-2016-5838
    WordPress allows remote attackers to bypass intended password-
    change restrictions by leveraging knowledge of a cookie.

CVE-2016-5839
    WordPress allows remote attackers to bypass the
    sanitize_file_name protection mechanism via unspecified vectors.

For Debian 7 "Wheezy", these problems have been fixed in version
3.6.1+dfsg-1~deb7u11.

We recommend that you upgrade your wordpress packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQJ8BAEBCgBmBQJXm4L7XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBQ0YzRDA4OEVGMzJFREVGNkExQTgzNUZE
OUFEMTRCOTUxM0I1MUU0AAoJENmtFLlRO1HklL0P/A70klu2O0pE/T+iYq9dhoj8
+pU6no4lLNGQ7+3uaVcnRue4y6ZikQRGNgZiM5cust641L0tyaPRMwmyAA+J9snx
iMZeC3fFnnslGdAkeblvQTJXEDQFAfFJI1m7LrPrhRHcVTL6q5U1YON45cDqI1Q6
wtQ3V1Dt7rM4tWjCvvDW0IbXonC0H6qZmR0u/NuE+DIR2CqWW7qFhV7hQgXEJz9Y
fbMrz4WyFvxavDtfvlktmln2TUxpOhkLdhoiHupEtB67L4bu6VhpxxfXzlbosVUO
x9qoZgxftOezQAO6VsPqYuf3aRza0Iv0C1Dk9csEO+577jLIAj/pS5OnTcOkQyFQ
h2tlm1EF1fRMM9ISN1kwCkBx6p94kjc2FPNzIJBcOI9CabmrMUGQxIY+iJBQdbNP
vyFWRMUjlN0U87Xf/V9s1BdEVJPnutw7/ZAYtIjB8Zq8iO59Eltc3sIhez0ngCB/
9XkOz7vjmVrgrFDAHgeEH/revlQIOaHXDqMRPc8FAYxGqvlrXPDIZe8qg9yN/Bol
ncFyXGJh1VvGiWKSp1ebz1b9x9se7yy3yLrdnxtDU4ZIq6mHGCXVF3YkNJCji1if
ynvz4z2EOXadAKnd5ZkJRj+uxHoEPSrAXankwM2HXm7/3jz1ZpiuRTocNQRm2XAx
uXD3d8jdurR4lQ0iyQGj
=SVB4
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 566-1] cakephp security update
Next by Date: [SECURITY] [DLA 569-1] xmlrpc-epi security update
Previous by thread: [SECURITY] [DLA 566-1] cakephp security update
Next by thread: [SECURITY] [DLA 569-1] xmlrpc-epi security update
Index(es):
- Date
- Thread