1. Forum
  2. Usenet
  3. LINUX.DEBIAN.ANNOUNCE.SEC

  • [SECURITY] [DSA 2901-3] wordpress regression update

    From Salvatore Bonaccorso@1:229/2 to All on Mon Apr 21 08:10:03 2014
    From: [email protected]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512

    - ------------------------------------------------------------------------- Debian Security Advisory DSA-2901-3 [email protected] http://www.debian.org/security/ Salvatore Bonaccorso
    April 21, 2014 http://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package : wordpress
    CVE ID : CVE-2014-0165 CVE-2014-0166
    Debian Bug : 744018

    The update of wordpress in DSA-2901-2 introduced a wrong versioned
    dependency on libjs-cropper, making the package uninstallable in the
    oldstable distribution (squeeze). This update corrects that problem.

    For reference the original advisory text follows.

    Several vulnerabilities were discovered in Wordpress, a web blogging
    tool. The Common Vulnerabilities and Exposures project identifies the
    following problems:

    CVE-2014-0165

    A user with a contributor role, using a specially crafted
    request, can publish posts, which is reserved for users of the
    next-higher role.

    CVE-2014-0166

    Jon Cave of the WordPress security team discovered that the
    wp_validate_auth_cookie function in wp-includes/pluggable.php does
    not properly determine the validity of authentication cookies,
    allowing a remote attacker to obtain access via a forged cookie.

    For the oldstable distribution (squeeze), this problem has been fixed
    in version 3.6.1+dfsg-1~deb6u4.

    We recommend that you upgrade your wordpress packages.

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: http://www.debian.org/security/

    Mailing list: [email protected]
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1

    iQIcBAEBCgAGBQJTVLUPAAoJEAVMuPMTQ89EqdwP/3ayqSSOrZAYJSJO4U39wvUz +H9BnPCkXQmqB0jL1nh8VjDC6lm9FFcK+Nm04Kd2Ema1S2pjnmfj/rZ4ektKc2Bx 4gXX7NjfAGUt+cl+9Wl8KdUJ1a+N7jLkkRxNxEItQ9cradxMbsAHZl7+oLBcAjW2 l4Mj6eya8amumDHfVbe7a/+4ex1t6Jslk0EQPCRsDOrbXPHtctvzfX8LxBtfY/XH /ZZhXW6VsGKaZ2AfuM+tilYbPjTMqdvnCL6YrfiGStftdvlywELJw7Hnb1x9p83A E2FGcRsjCVuy2R5zvOcPIqJJG853t8wdRe3z+xfV/tONzUnuywa1GRm/c284d+Yx Gs8nW8+dtujIwSeGdubLwEOBc7HHvhk4/UPQpc3T6ricaupp2k42oLhB5kP3D2e9 fwNTFjULFVzrf7kfA8imroOkOPI5C57UMOTHrjdjzlPFAQC2DiUJx2UTtz/i42Ck HOay7x/0DSe5NrENdrVwZ558Z4PW8NBvrBPOrAXeJhdVzelfbpESaJoiM/lhUm0f T0o8H6dESm6rUlhxLxZoowTtOzg/qeduSdU7mhSGYhKYLplMv5kCGCak3z23UVGK CLWJsKVEf8lxOn/Rzd5z8o/wqrWqLf0uRF0xQrqCCzyplV9cZXNOz/oaIu64Ajo4 r5vIZoPqbIGSopbSOae2
    =bnMQ
    -----END PGP SIGNATURE-----


    --
    To UNSUBSCRIBE, email to [email protected]
    with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]

    --- SoupGate-Win32 v1.05
    * Origin: you cannot sedate... all the things you hate (1:229/2)