wordpress - security update

In the Debian squeeze-lts version of Wordpress, multiple security issues
have been fixed:

Remote attackers could…

• … upload files with invalid or unsafe names

• … mount social engineering attacks

• … compromise a site via cross-site scripting

• … inject SQL commands

• … cause denial of service or information disclosure

• CVE-2014-9031
  Jouko Pynnonen discovered an unauthenticated cross site scripting
  vulnerability (XSS) in wptexturize(), exploitable via comments or
  posts.

• CVE-2014-9033
  Cross site request forgery (CSRF) vulnerability in the password
  changing process, which could be used by an attacker to trick an user
  into changing her password.

• CVE-2014-9034
  Javier Nieto Arevalo and Andres Rojas Guerrero reported a potential
  denial of service in the way the phpass library is used to handle
  passwords, since no maximum password length was set.

• CVE-2014-9035
  John Blackbourn reported an XSS in the Press This function (used
  for quick publishing using a browser bookmarklet).

• CVE-2014-9036
  Robert Chapin reported an XSS in the HTML filtering of CSS in posts.

• CVE-2014-9037
  David Anderson reported a hash comparison vulnerability for passwords
  stored using the old-style MD5 scheme. While unlikely, this could be
  exploited to compromise an account, if the user had not logged in
  after a Wordpress 2.5 update (uploaded to Debian on 2 Apr, 2008) and
  the password MD5 hash could be collided with due to PHP dynamic
  comparison.

• CVE-2014-9038
  Ben Bidner reported a server side request forgery (SSRF) in the core
  HTTP layer which unsufficiently blocked the loopback IP address
  space.

• CVE-2014-9039
  Momen Bassel, Tanoy Bose, and Bojan Slavkovic reported a
  vulnerability in the password reset process: an email address change
  would not invalidate a previous password reset email.

• CVE-2015-3438
  Cedric Van Bockhaven reported and Gary Pendergast, Mike Adams, and Andrew Nacin of the
  WordPress security team fixed a cross-site-scripting vulnerabilitity, which could enable anonymous users
  to compromise a site.

• CVE-2015-3439
  Jakub Zoczek discovered a very limited cross-site scripting
  vulnerability, that could be used as part of a social engineering
  attack.

• CVE-2015-3440
  Jouko PynnĂśnen discovered a cross-site scripting vulnerability,
  which could enable commenters to compromise a site.