[SECURITY] [DLA 975-1] wordpress security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 975-1] wordpress security update
From: Markus Koschany <apo@debian.org>
Date: Fri, 2 Jun 2017 14:47:52 +0200
Message-id: <[🔎] a5ef5dbd-d164-feea-6258-306d840a1cb7@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : wordpress
Version        : 3.6.1+dfsg-1~deb7u15
CVE ID         : CVE-2017-8295 CVE-2017-9061 CVE-2017-9062
                 CVE-2017-9063 CVE-2017-9064 CVE-2017-9065
Debian Bug     : 862053 862816

Several vulnerabilities were discovered in wordpress, a web blogging
tool. The Common Vulnerabilities and Exposures project identifies the
following issues.

CVE-2017-8295

    Potential unauthorized password reset vulnerability. More
    information are available at:

https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html

CVE-2017-9061

    A cross-site scripting (XSS) vulnerability exists when someone
    attempts to upload very large files.

CVE-2017-9062

    Improper handling of post meta data values in the XML-RPC API.

CVE-2017-9063

   Cross-site scripting (XSS) vulnerability in the customizer.

CVE-2017-9064

    A Cross Site Request Forgery (CSRF) vulnerability exists in the
    filesystem credentials dialog.

CVE-2017-9065

    Lack of capability checks for post meta data in the XML-RPC API.

For Debian 7 "Wheezy", these problems have been fixed in version
3.6.1+dfsg-1~deb7u15.

We recommend that you upgrade your wordpress packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlkxXnhfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeSyPhAAoUfz6LXP8Vb053DSF632+g+zkU9MzaxIjsiDpjYI6Cjq8efFu0p2CoCc
6iV2yvDuj3aHHglwt/Am6PYsPGE8j04CXhdxRWjJXcKe/gN2XzPW6XpIMx29LJba
em4Dd74bZL7JnDS/EH52NNM9yGaJ1EUs6866BSxApgKsZej9XH1R0HKpM3cxNhGE
Lc8b/tJg1oKE9M045+eFQ3x8EWAl15JIm6wX1NNzajSumSEjWoPvOY5g2U8rIdQq
g9MYcIwxzRKjGY/0lIf2TE81fauxTYZ7Yp9s9/GgemtIvF4PyvmSispgyESvZXgX
DeGVo44uU5CqglbX63x4OgKdVV5rEGFwZIr6/8h3n/c6OxRN0IkzbmAbHhDaqn/Z
eTVS2tqdZqDTGbY9ZQ5PfNFZI7Yb/mJN+B/0TAGPWRUS8afh5RdL6xMn5IcY53OX
oKd2gdk0GKn8BGe5eqgthoSIrFJYSWhV0dYjM3FWlZSmd7PPVP9eHrIOYIwCW2pO
5oYQbJhOOQcKcqox29DzTdi10bnVCQcbRJhei7l09bsW9yd6einrXqi+x8WlvkLf
Wfnnd0gx5qzmlYFRr6qkHy9/wPwP7iAtfNTDt8arnS9/YOtVpwAarSABEj7IpXvr
I52BfKziFXWRlOVxnY32Zr9UcEhgFkcFftGFv5OFAMMpABc3zZI=
=1VcM
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 972-1] openldap security update
Next by Date: [SECURITY] [DLA 977-1] freeradius security update
Previous by thread: [SECURITY] [DLA 972-1] openldap security update
Next by thread: [SECURITY] [DLA 977-1] freeradius security update
Index(es):
- Date
- Thread