Debian Long Term Support / LTS Security Information / 2015 / Security Information -- DLA-236-1 wordpress

Debian Security Advisory

DLA-236-1 wordpress -- LTS security update

Date Reported:

01 Jun 2015

Affected Packages:

wordpress

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2014-9031, CVE-2014-9033, CVE-2014-9034, CVE-2014-9035, CVE-2014-9036, CVE-2014-9037, CVE-2014-9038, CVE-2014-9039, CVE-2015-3438, CVE-2015-3439, CVE-2015-3440.

More information:

In the Debian squeeze-lts version of Wordpress, multiple security issues have been fixed:

Remote attackers could...

• ... upload files with invalid or unsafe names
• ... mount social engineering attacks
• ... compromise a site via cross-site scripting
• ... inject SQL commands
• ... cause denial of service or information disclosure

• CVE-2014-9031

  Jouko Pynnonen discovered an unauthenticated cross site scripting vulnerability (XSS) in wptexturize(), exploitable via comments or posts.

• CVE-2014-9033

  Cross site request forgery (CSRF) vulnerability in the password changing process, which could be used by an attacker to trick an user into changing her password.

• CVE-2014-9034

  Javier Nieto Arevalo and Andres Rojas Guerrero reported a potential denial of service in the way the phpass library is used to handle passwords, since no maximum password length was set.

• CVE-2014-9035

  John Blackbourn reported an XSS in the Press This function (used for quick publishing using a browser bookmarklet).

• CVE-2014-9036

  Robert Chapin reported an XSS in the HTML filtering of CSS in posts.

• CVE-2014-9037

  David Anderson reported a hash comparison vulnerability for passwords stored using the old-style MD5 scheme. While unlikely, this could be exploited to compromise an account, if the user had not logged in after a Wordpress 2.5 update (uploaded to Debian on 2 Apr, 2008) and the password MD5 hash could be collided with due to PHP dynamic comparison.

• CVE-2014-9038

  Ben Bidner reported a server side request forgery (SSRF) in the core HTTP layer which unsufficiently blocked the loopback IP address space.

• CVE-2014-9039

  Momen Bassel, Tanoy Bose, and Bojan Slavkovic reported a vulnerability in the password reset process: an email address change would not invalidate a previous password reset email.

• CVE-2015-3438

  Cedric Van Bockhaven reported and Gary Pendergast, Mike Adams, and Andrew Nacin of the WordPress security team fixed a cross-site-scripting vulnerabilitity, which could enable anonymous users to compromise a site.

• CVE-2015-3439

  Jakub Zoczek discovered a very limited cross-site scripting vulnerability, that could be used as part of a social engineering attack.

• CVE-2015-3440

  Jouko Pynnönen discovered a cross-site scripting vulnerability, which could enable commenters to compromise a site.