[SECURITY] [DLA 1151-2] wordpress regression update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 1151-2] wordpress regression update
From: Markus Koschany <apo@debian.org>
Date: Sun, 12 Nov 2017 23:15:49 +0100
Message-id: <[🔎] b66df627-30eb-2025-caa2-e6b9db08bf2f@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : wordpress
Version        : 3.6.1+dfsg-1~deb7u19
Debian Bug     : 881088

The fix for CVE-2017-14990 issued as DLA-1151-1 was incomplete and
caused a regression. It was discovered that an additional database
upgrade and further code changes would be necessary. At the moment
these changes are deemed as too intrusive and thus the initial patch
for CVE-2017-14990 has been removed again. For reference, the original
advisory text follows.

WordPress stores cleartext wp_signups.activation_key values (but
stores the analogous wp_users.user_activation_key values as hashes),
which might make it easier for remote attackers to hijack unactivated
user accounts by leveraging database read access (such as access
gained through an unspecified SQL injection vulnerability).

For Debian 7 "Wheezy", these problems have been fixed in version
3.6.1+dfsg-1~deb7u19.

We recommend that you upgrade your wordpress packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAloIyBRfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeQI5w//YBa+vsNX3RXJLCb1nKWuWYY3R+D/waxubGuEUnmokfkSQ7SkkcYB8BBq
mkGBX60gqAIpN4i5WWoeGLDSch/+GNheRSEIA9h8pX+Sqi194TZ1owxXIcv7jjkg
Z1pyLfUYWxFbD+KqZ/lN4IL8enf3OkpUGxWTXNNVNQiRREDjSIi+w6t6DxKWyWnl
Q4dNL9VSzKxTC+7oBqXBMTLHsS66Xug0w6FFX23BpmJ7bUfFXgDwKW60+vJVeSGJ
AojZMSHslM+H61C0zgdplT3ULaQgb6OV906DUclic4050l3ev2XRpsXd/V5BzQ5G
aAkqiRMA9RPmtOqtrUIfluo/DRUtLG3Mcmit1TTeiE9QALsyRGMO+zpOlBbjZj6+
6l3OPDx5rGQga1gk/MfgFcz7MEswx5SDmDtKNCcnTylDBC8pwrIW48mYpR5tTjmX
1c5TsEB5Tsjh9RgswZMXO0c13+0DRdG0P4+MEUClHaQFUZojACs3+vt7TaGCiYmh
+eBl7UiQb297k1nF2t1dyTND8uQ1ze4IVTQAzhyx9vsp76Fxsm4rAAYJtugB6HHK
JrUUdmR2FJNIy+V9knzxGZMq5TRJUeLu8dQZEfGr0ox3BNwlRs0oviM8g4FPFxhS
TiacFP/i3mBRwlaJTYmFEpz5ipXKp6Xs4fmg3rzwscU714+7WGM=
=eDMe
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA-1169-1] postgresql-common security update
Next by Date: [SECURITY] [DLA 1170-1] graphicsmagick security update
Previous by thread: [SECURITY] [DLA-1169-1] postgresql-common security update
Next by thread: [SECURITY] [DLA 1170-1] graphicsmagick security update
Index(es):
- Date
- Thread