[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 1216-1] wordpress security update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : wordpress
Version        : 3.6.1+dfsg-1~deb7u20
CVE ID         : CVE-2017-17091 CVE-2017-17092 CVE-2017-17093
                 CVE-2017-17094
Debian Bug     : 883314

Several vulnerabilities were discovered in wordpress, a web blogging
tool. The Common Vulnerabilities and Exposures project identifies the
following issues.

CVE-2017-17091

    wp-admin/user-new.php in WordPress sets the newbloguser
    key to a string that can be directly derived from the user ID, which
    allows remote attackers to bypass intended access restrictions by
    entering this string.

CVE-2017-17092

    wp-includes/functions.php in WordPress does not require the
    unfiltered_html capability for upload of .js files, which might
    allow remote attackers to conduct XSS attacks via a crafted file.

CVE-2017-17093

    wp-includes/general-template.php in WordPress does not properly
    restrict the lang attribute of an HTML element, which might allow
    attackers to conduct XSS attacks via the language setting of a site.

CVE-2017-17094

    wp-includes/feed.php in WordPress does not properly
    restrict enclosures in RSS and Atom fields, which might allow
    attackers to conduct XSS attacks via a crafted URL.


For Debian 7 "Wheezy", these problems have been fixed in version
3.6.1+dfsg-1~deb7u20.

We recommend that you upgrade your wordpress packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlo8FT1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeQIew/+Ni8zS2ZObWCBqaRtv9yBhxIjHZfBWRCRHiz/hTE+/lcLSVskz4UIIV6P
CBBxokOK99LANwDkTB3m7dh1AfiajtOfxcCg+1VNwtaQn/q4Sy7BrWzar25dTUlP
POIS6vABhniXR7NgExguo6CNlGTdDQIMFSzu2EblC6Sc/9xSVdlOqmVgJbRBqLIv
9gJ+87EMyOhI0onpUGOKWPrZOf7ZEkcnB8B9zklS9cyZOa7UlOnUpV+gsTWZcPxu
JaAPhb+8jSR8ODm7b2hOjimcgHy0G1Y/yrOeoRTejKunq7F2fDIJOcBQA5gOkInR
siI2DbSDepGqqPW73CKGsxRzOMc2TdMGxh9l1Rho6G0j6KD5ASpMKkxEGnJqLv8i
8UnIpkewS2nk8DesfK4gRcziKRTZxG3lHmjE+FusS/m2aZuHjC/NfWaLEJS2xa33
KWjdBYV72Dt8FQRD5VhaHHSv0mwXOgoQfS6MSa3oUc0y2+VssihHM27lCnL2R5WH
ZfzesZi24RAJZBDG84Nze6jUeNWeuC1AnKmgF6teKpcOpNJcDBxyqNPiw4BiZIb6
6Nxji6TJYQdXQbdKddkz/5zeaTl5FWWcYerUDboiAD4oPCXsOORGqF1bUuXQRVkG
jHwy6mTvcqOWWpPwH1kjURlqd6xjT5W0L3Mqp5Q5W1/JnKSiRNs=
=aFjq
-----END PGP SIGNATURE-----


Reply to: