[SECURITY] [DLA 1216-1] wordpress security update

Package : wordpress
Version : 3.6.1+dfsg-1~deb7u20
CVE ID : CVE-2017-17091 CVE-2017-17092 CVE-2017-17093
CVE-2017-17094
Debian Bug : 883314

Several vulnerabilities were discovered in wordpress, a web blogging
tool. The Common Vulnerabilities and Exposures project identifies the
following issues.

CVE-2017-17091

wp-admin/user-new.php in WordPress sets the newbloguser
key to a string that can be directly derived from the user ID, which
allows remote attackers to bypass intended access restrictions by
entering this string.

CVE-2017-17092

wp-includes/functions.php in WordPress does not require the
unfiltered_html capability for upload of .js files, which might
allow remote attackers to conduct XSS attacks via a crafted file.

CVE-2017-17093

wp-includes/general-template.php in WordPress does not properly
restrict the lang attribute of an HTML element, which might allow
attackers to conduct XSS attacks via the language setting of a site.

CVE-2017-17094

wp-includes/feed.php in WordPress does not properly
restrict enclosures in RSS and Atom fields, which might allow
attackers to conduct XSS attacks via a crafted URL.

For Debian 7 "Wheezy", these problems have been fixed in version
3.6.1+dfsg-1~deb7u20.

We recommend that you upgrade your wordpress packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS