26 May 2011
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2011.0043 A security update has been released for WordPress prior to 3.1.3 26 May 2011 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: WordPress prior to 3.1.3 Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Access Privileged Data -- Remote with User Interaction Provide Misleading Information -- Remote with User Interaction Reduced Security -- Remote with User Interaction Resolution: Patch/Upgrade Member content until: Saturday, June 25 2011 OVERVIEW A security update has been released for WordPress prior to 3.1.3 which corrects a number of issues. IMPACT The vendor has provided the following details regarding this update: "* Various security hardening by Alexander Concha. * Taxonomy query hardening by John Lamansky. * Prevent sniffing out user names of non-authors by using canonical redirects. Props Vernica Valeros. * Media security fixes by Richard Lundeen of Microsoft, Jesse Ou of Microsoft, and Microsoft Vulnerability Research. * Improves file upload security on hosts with dangerous security settings. * Cleans up old WordPress import files if the import does not finish. * Introduce clickjacking protection in modern browsers on admin and login pages."  MITIGATION The vendor recommends upgrading to the latest version of WordPress REFERENCES  WordPress 3.1.3 (and WordPress 3.2 Beta 2) http://wordpress.org/news/2011/05/wordpress-3-1-3/ AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: firstname.lastname@example.org Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iD8DBQFN3baG/iFOrG6YcBERAho/AKCcdMSFQKSpgA+455bSlKYHE2a4iwCaAxHi pM/hsFgzPdhYI7In44+3lm0= =JYms -----END PGP SIGNATURE-----