[SECURITY] [DLA 418-1] wordpress security update

2016-02-1623:03:46

lists.debian.org

5.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

8.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

8.4 High

AI Score

Confidence

High

0.013 Low

EPSS

Percentile

86.0%

JSON

Package : wordpress
Version : 3.6.1+dfsg-1~deb6u9
CVE ID : CVE-2016-2221 CVE-2016-2222
Debian Bug : 813697

WordPress versions 4.4.1 and earlier are affected by two security
issues: a possible Side Request Forgery Vulnerability for certain
local URIs, reported by Ronni Skansing; and an open redirection
attack, reported by Shailesh Suthar.

CVE-2016-2221
Wordpress could be vulnerable for an open redirection attack
which was fixed by better validation of the URL used in HTTP
redirects.

CVE-2016-2222
It was discovered that Wordpress was susceptible for a possible Side
Request Forgery Vulnerability because it considered for instance
0.1.2.3 as a valid IP.

For Debian 6 "Squeeze", these problems have been fixed in version
3.6.1+dfsg-1~deb6u9.

We recommend that you upgrade your wordpress packages.

OSVersionArchitecturePackageVersionFilename
Debian6allwordpress< 3.6.1+dfsg-1~deb6u9wordpress_3.6.1+dfsg-1~deb6u9_all.deb
Debian6allwordpress-l10n< 3.6.1+dfsg-1~deb6u9wordpress-l10n_3.6.1+dfsg-1~deb6u9_all.deb
Debian7allwordpress< 3.6.1+dfsg-1~deb7u10wordpress_3.6.1+dfsg-1~deb7u10_all.deb
Debian8allwordpress-theme-twentythirteen< 4.1+dfsg-1+deb8u8wordpress-theme-twentythirteen_4.1+dfsg-1+deb8u8_all.deb
Debian8allwordpress-theme-twentyfifteen< 4.1+dfsg-1+deb8u8wordpress-theme-twentyfifteen_4.1+dfsg-1+deb8u8_all.deb
Debian7allwordpress-l10n< 3.6.1+dfsg-1~deb7u10wordpress-l10n_3.6.1+dfsg-1~deb7u10_all.deb
Debian8allwordpress-l10n< 4.1+dfsg-1+deb8u8wordpress-l10n_4.1+dfsg-1+deb8u8_all.deb
Debian8allwordpress< 4.1+dfsg-1+deb8u8wordpress_4.1+dfsg-1+deb8u8_all.deb
Debian8allwordpress-theme-twentyfourteen< 4.1+dfsg-1+deb8u8wordpress-theme-twentyfourteen_4.1+dfsg-1+deb8u8_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	6	all	wordpress	< 3.6.1+dfsg-1~deb6u9	wordpress_3.6.1+dfsg-1~deb6u9_all.deb
Debian	6	all	wordpress-l10n	< 3.6.1+dfsg-1~deb6u9	wordpress-l10n_3.6.1+dfsg-1~deb6u9_all.deb
Debian	7	all	wordpress	< 3.6.1+dfsg-1~deb7u10	wordpress_3.6.1+dfsg-1~deb7u10_all.deb
Debian	8	all	wordpress-theme-twentythirteen	< 4.1+dfsg-1+deb8u8	wordpress-theme-twentythirteen_4.1+dfsg-1+deb8u8_all.deb
Debian	8	all	wordpress-theme-twentyfifteen	< 4.1+dfsg-1+deb8u8	wordpress-theme-twentyfifteen_4.1+dfsg-1+deb8u8_all.deb
Debian	7	all	wordpress-l10n	< 3.6.1+dfsg-1~deb7u10	wordpress-l10n_3.6.1+dfsg-1~deb7u10_all.deb
Debian	8	all	wordpress-l10n	< 4.1+dfsg-1+deb8u8	wordpress-l10n_4.1+dfsg-1+deb8u8_all.deb
Debian	8	all	wordpress	< 4.1+dfsg-1+deb8u8	wordpress_4.1+dfsg-1+deb8u8_all.deb
Debian	8	all	wordpress-theme-twentyfourteen	< 4.1+dfsg-1+deb8u8	wordpress-theme-twentyfourteen_4.1+dfsg-1+deb8u8_all.deb