[SECURITY] [DLA 1216-1] wordpress security update
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Package : wordpress
Version : 3.6.1+dfsg-1~deb7u20
CVE ID : CVE-2017-17091 CVE-2017-17092 CVE-2017-17093
CVE-2017-17094
Debian Bug : 883314
Several vulnerabilities were discovered in wordpress, a web blogging
tool. The Common Vulnerabilities and Exposures project identifies the
following issues.
CVE-2017-17091
wp-admin/user-new.php in WordPress sets the newbloguser
key to a string that can be directly derived from the user ID, which
allows remote attackers to bypass intended access restrictions by
entering this string.
CVE-2017-17092
wp-includes/functions.php in WordPress does not require the
unfiltered_html capability for upload of .js files, which might
allow remote attackers to conduct XSS attacks via a crafted file.
CVE-2017-17093
wp-includes/general-template.php in WordPress does not properly
restrict the lang attribute of an HTML element, which might allow
attackers to conduct XSS attacks via the language setting of a site.
CVE-2017-17094
wp-includes/feed.php in WordPress does not properly
restrict enclosures in RSS and Atom fields, which might allow
attackers to conduct XSS attacks via a crafted URL.
For Debian 7 "Wheezy", these problems have been fixed in version
3.6.1+dfsg-1~deb7u20.
We recommend that you upgrade your wordpress packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlo8FT1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeQIew/+Ni8zS2ZObWCBqaRtv9yBhxIjHZfBWRCRHiz/hTE+/lcLSVskz4UIIV6P
CBBxokOK99LANwDkTB3m7dh1AfiajtOfxcCg+1VNwtaQn/q4Sy7BrWzar25dTUlP
POIS6vABhniXR7NgExguo6CNlGTdDQIMFSzu2EblC6Sc/9xSVdlOqmVgJbRBqLIv
9gJ+87EMyOhI0onpUGOKWPrZOf7ZEkcnB8B9zklS9cyZOa7UlOnUpV+gsTWZcPxu
JaAPhb+8jSR8ODm7b2hOjimcgHy0G1Y/yrOeoRTejKunq7F2fDIJOcBQA5gOkInR
siI2DbSDepGqqPW73CKGsxRzOMc2TdMGxh9l1Rho6G0j6KD5ASpMKkxEGnJqLv8i
8UnIpkewS2nk8DesfK4gRcziKRTZxG3lHmjE+FusS/m2aZuHjC/NfWaLEJS2xa33
KWjdBYV72Dt8FQRD5VhaHHSv0mwXOgoQfS6MSa3oUc0y2+VssihHM27lCnL2R5WH
ZfzesZi24RAJZBDG84Nze6jUeNWeuC1AnKmgF6teKpcOpNJcDBxyqNPiw4BiZIb6
6Nxji6TJYQdXQbdKddkz/5zeaTl5FWWcYerUDboiAD4oPCXsOORGqF1bUuXQRVkG
jHwy6mTvcqOWWpPwH1kjURlqd6xjT5W0L3Mqp5Q5W1/JnKSiRNs=
=aFjq
-----END PGP SIGNATURE-----
Reply to: