Debian Security Advisory

DSA-1601-1 wordpress -- several vulnerabilities

Date Reported:

04 Jul 2008

Affected Packages:

wordpress

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 437085, Bug 464170.
In Mitre's CVE dictionary: CVE-2007-1599, CVE-2008-0664.

More information:

Several remote vulnerabilities have been discovered in Wordpress, the weblog manager. The Common Vulnerabilities and Exposures project identifies the following problems:

CVE-2007-1599
WordPress allows remote attackers to redirect authenticated users to other websites and potentially obtain sensitive information.
CVE-2008-0664
The XML-RPC implementation, when registration is enabled, allows remote attackers to edit posts of other blog users.

For the stable distribution (etch), these problems have been fixed in version 2.0.10-1etch3.

For the unstable distribution (sid), these problems have been fixed in version 2.3.3-1.

We recommend that you upgrade your wordpress package.

Fixed in:

Debian GNU/Linux 4.0 (etch)

Source:: http://security.debian.org/pool/updates/main/w/wordpress/wordpress_2.0.10.orig.tar.gz; http://security.debian.org/pool/updates/main/w/wordpress/wordpress_2.0.10-1etch3.dsc; http://security.debian.org/pool/updates/main/w/wordpress/wordpress_2.0.10-1etch3.diff.gz
Architecture-independent component:: http://security.debian.org/pool/updates/main/w/wordpress/wordpress_2.0.10-1etch3_all.deb

MD5 checksums of the listed files are available in the original advisory.