Debian Security Advisory
DSA-3250-1 wordpress -- security update
- Date Reported:
- 04 May 2015
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 783347, Bug 783554.
In Mitre's CVE dictionary: CVE-2015-3438, CVE-2015-3439, CVE-2015-3440.
- More information:
Multiple security issues have been discovered in Wordpress, a weblog manager, that could allow remote attackers to upload files with invalid or unsafe names, mount social engineering attacks or compromise a site via cross-site scripting, and inject SQL commands.
More information can be found in the upstream advisories at https://wordpress.org/news/2015/04/wordpress-4-1-2/ and https://wordpress.org/news/2015/04/wordpress-4-2-1/
For the oldstable distribution (wheezy), these problems have been fixed in version 3.6.1+dfsg-1~deb7u6.
For the stable distribution (jessie), these problems have been fixed in version 4.1+dfsg-1+deb8u1.
For the testing distribution (stretch), these problems have been fixed in version 4.2.1+dfsg-1.
For the unstable distribution (sid), these problems have been fixed in version 4.2.1+dfsg-1.
We recommend that you upgrade your wordpress packages.