[SECURITY] [DLA 236-1] wordpress security update

2015-06-0112:11:28

lists.debian.org

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.006 Low

EPSS

Percentile

77.7%

JSON

Package : wordpress
Version : 3.6.1+dfsg-1~deb6u6
CVE ID : CVE-2014-9031 CVE-2014-9033 CVE-2014-9034 CVE-2014-9035
CVE-2014-9036 CVE-2014-9037 CVE-2014-9038 CVE-2014-9039 CVE-2015-3438 CVE-2015-3439 CVE-2015-3440
Debian Bug : #783347 #783554 #770425

In the Debian squeeze-lts version of Wordpress, multiple security issues
have been fixed:

Remote attackers could…

… upload files with invalid or unsafe names
… mount social engineering attacks
… compromise a site via cross-site scripting
… inject SQL commands
… cause denial of service or information disclosure

CVE-2014-9031

Jouko Pynnonen discovered an unauthenticated cross site scripting
vulnerability (XSS) in wptexturize(), exploitable via comments or
posts.

CVE-2014-9033

Cross site request forgery (CSRF) vulnerability in the password
changing process, which could be used by an attacker to trick an user
into changing her password.

CVE-2014-9034

Javier Nieto Arevalo and Andres Rojas Guerrero reported a potential
denial of service in the way the phpass library is used to handle
passwords, since no maximum password length was set.

CVE-2014-9035

John Blackbourn reported an XSS in the &quot;Press This&quot; function (used
for quick publishing using a browser &quot;bookmarklet&quot;).

CVE-2014-9036

Robert Chapin reported an XSS in the HTML filtering of CSS in posts.

CVE-2014-9037

David Anderson reported a hash comparison vulnerability for passwords
stored using the old-style MD5 scheme. While unlikely, this could be
exploited to compromise an account, if the user had not logged in
after a Wordpress 2.5 update (uploaded to Debian on 2 Apr, 2008) and
the password MD5 hash could be collided with due to PHP dynamic
comparison.

CVE-2014-9038

Ben Bidner reported a server side request forgery (SSRF) in the core
HTTP layer which unsufficiently blocked the loopback IP address
space.

CVE-2014-9039

Momen Bassel, Tanoy Bose, and Bojan Slavkovic reported a
vulnerability in the password reset process: an email address change
would not invalidate a previous password reset email.

CVE-2015-3438

Cedric Van Bockhaven reported and Gary Pendergast, Mike Adams, and Andrew Nacin of the
WordPress security team fixed a cross-site-scripting vulnerabilitity, which could enable anonymous users
to compromise a site.

CVE-2015-3439

Jakub Zoczek discovered a very limited cross-site scripting
vulnerability, that could be used as part of a social engineering
attack.

CVE-2015-3440

Jouko Pynnönen discovered a  cross-site scripting vulnerability,
which could enable commenters to compromise a site.

–

mike gabriel aka sunweaver (Debian Developer)
fon: +49 (1520) 1976 148

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31
mail: [email protected], http://sunweavers.net

Attachment:
signature.asc
Description: Digital signature

OSVersionArchitecturePackageVersionFilename
Debian6allwordpress< 3.6.1+dfsg-1~deb6u6wordpress_3.6.1+dfsg-1~deb6u6_all.deb
Debian7allwordpress-l10n< 3.6.1+dfsg-1~deb7u5wordpress-l10n_3.6.1+dfsg-1~deb7u5_all.deb
Debian6allwordpress-l10n< 3.6.1+dfsg-1~deb6u6wordpress-l10n_3.6.1+dfsg-1~deb6u6_all.deb
Debian7allwordpress< 3.6.1+dfsg-1~deb7u5wordpress_3.6.1+dfsg-1~deb7u5_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	6	all	wordpress	< 3.6.1+dfsg-1~deb6u6	wordpress_3.6.1+dfsg-1~deb6u6_all.deb
Debian	7	all	wordpress-l10n	< 3.6.1+dfsg-1~deb7u5	wordpress-l10n_3.6.1+dfsg-1~deb7u5_all.deb
Debian	6	all	wordpress-l10n	< 3.6.1+dfsg-1~deb6u6	wordpress-l10n_3.6.1+dfsg-1~deb6u6_all.deb
Debian	7	all	wordpress	< 3.6.1+dfsg-1~deb7u5	wordpress_3.6.1+dfsg-1~deb7u5_all.deb