wordpress - security update

2014-04-1200:00:00

Google

osv.dev

6.4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

JSON

Several vulnerabilities were discovered in Wordpress, a web blogging
tool. The Common Vulnerabilities and Exposures project identifies the
following problems:

CVE-2014-0165
A user with a contributor role, using a specially crafted
request, can publish posts, which is reserved for users of the
next-higher role.
CVE-2014-0166
Jon Cave of the WordPress security team discovered that the
wp_validate_auth_cookie function in wp-includes/pluggable.php does
not properly determine the validity of authentication cookies,
allowing a remote attacker to obtain access via a forged cookie.

For the oldstable distribution (squeeze), these problems have been fixed
in version 3.6.1+dfsg-1~deb6u2.

For the stable distribution (wheezy), these problems have been fixed in
version 3.6.1+dfsg-1~deb7u2.

For the testing distribution (jessie), these problems have been fixed in
version 3.8.2+dfsg-1.

For the unstable distribution (sid), these problems have been fixed in
version 3.8.2+dfsg-1.

We recommend that you upgrade your wordpress packages.

CPENameOperatorVersion
wordpresseq3.6.1+dfsg-1~deb6u9
wordpresseq3.6+dfsg-1
wordpresseq3.5.2+dfsg-1
wordpresseq3.6.1+dfsg-1~deb6u4
wordpresseq3.5.2+dfsg-1~deb6u1
wordpresseq3.6.1+dfsg-1~deb6u6
wordpresseq3.6.1+dfsg-1~deb6u1
wordpresseq3.5.1+dfsg-2
wordpresseq3.5.2+dfsg-1~deb7u1
wordpresseq3.6.1+dfsg-1~deb6u8

Name	Operator	Version
wordpress	eq	3.6.1+dfsg-1~deb6u9
wordpress	eq	3.6+dfsg-1
wordpress	eq	3.5.2+dfsg-1
wordpress	eq	3.6.1+dfsg-1~deb6u4
wordpress	eq	3.5.2+dfsg-1~deb6u1
wordpress	eq	3.6.1+dfsg-1~deb6u6
wordpress	eq	3.6.1+dfsg-1~deb6u1
wordpress	eq	3.5.1+dfsg-2
wordpress	eq	3.5.2+dfsg-1~deb7u1
wordpress	eq	3.6.1+dfsg-1~deb6u8