Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2015.1222 wordpress security update 5 May 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: wordpress Publisher: Debian Operating System: Debian GNU/Linux 8 UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Create Arbitrary Files -- Remote/Unauthenticated Cross-site Scripting -- Remote with User Interaction Provide Misleading Information -- Console/Physical Resolution: Patch/Upgrade CVE Names: CVE-2015-3440 CVE-2015-3439 CVE-2015-3438 Original Bulletin: http://www.debian.org/security/2015/dsa-3250 Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running wordpress check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-3250-1 security@debian.org http://www.debian.org/security/ Alessandro Ghedini May 04, 2015 http://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : wordpress CVE ID : CVE-2015-3438 CVE-2015-3439 CVE-2015-3440 Debian Bug : 783347 783554 Multiple security issues have been discovered in Wordpress, a weblog manager, that could allow remote attackers to upload files with invalid or unsafe names, mount social engineering attacks or compromise a site via cross-site scripting, and inject SQL commands. More information can be found in the upstream advisories at https://wordpress.org/news/2015/04/wordpress-4-1-2/ and https://wordpress.org/news/2015/04/wordpress-4-2-1/ For the oldstable distribution (wheezy), these problems have been fixed in version 3.6.1+dfsg-1~deb7u6. For the stable distribution (jessie), these problems have been fixed in version 4.1+dfsg-1+deb8u1. For the testing distribution (stretch), these problems have been fixed in version 4.2.1+dfsg-1. For the unstable distribution (sid), these problems have been fixed in version 4.2.1+dfsg-1. We recommend that you upgrade your wordpress packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJVR7+OAAoJEK+lG9bN5XPL7YgP/0kHKf4aTa4H/XlOy9L7/Oqz IKaG69pbpzAN0ulrFt/flIWWN//SHzoY8jOfIZnrm4pnsDd6O2qS4TpTGa/911KQ IEBhEuGsNrkSEjQZDW/NHsf1cdhTf3O3yWrtFMnaQSW2ksZnJb0GlgpSY1y/9bGH AQWxhL6moG/ILO3e1j4gdr4bMKNBC1p1RK2+b7PQROQjdWjtdRCUKeDCpK9Qdt3P bO/DaRdO07RjX4h92ozxKIpvsTfTaxlPDwFm2Sn2SSpkLS507QGDHdEkI2hu4Fj3 qT+BjSxPbqt767AlibehtoqF7UPz9zw6J06Wg37YBHTBWit1s6MO8K9y65B5ZO0a pdRGjoaUprnGNvskaGXLPb80lASNQQ0m6aMdmbHgvzfTtPDG0MpNxLvCxpR5rLc+ z6YClWL+GzKHxKfpU0m8iC/0UnxrGsJ6jsYqElbDDoIf5ztrrJov6m5xpoME7vsS 9jaE4F1YWrhluNGTp4pAa/x78FLNOdVaDs/lPQ0f1dmq6EI1GaD9iuUp4XEANo76 SM0vjnzJ2Jo0kakcHiHbt7YX2tQilkrAkIMYAzDew1jtkvofLxW9jbeJ9NDWE5Hb 2d1mIvlRTRBFIMCS+5M83TSiIFeNOe7DjK19KTAYSAiLYf8LXuGWB2Y/eZF2j3Bq RKxnRPe6EBh+NRIvZyaa =nORs - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVUgGSxLndAQH1ShLAQJnMxAAgwKtC/OpnhUMhvQPLAJQwHE07MGKvkYr rSEel9jm1suIYpWBpK4IAQkI01psbLlCFUPjO7G6IpkN7SHkT1E18IPDqjMS6ZBU yG5HJFRs19uFIudSKvjUc2Uwo5vGHpQeaXslvYX7AOlJF5A5VkOwcYawWiaxR2wx a+mCME/dUTYamMDJHjgyHDsU1hGo8nhGzW/h4oco9luhjLOObOuZrNrAFYwv3wqf fJoj7u3VNnH48TjYuDwNRlFBNlzWp8G5sCl1HpoRu34K0/trKCW0h88mOtsZSzcg 2ghXHcRIgy7LMeFOA0y17rTjKg43elvY4pnqPEwCb/g2GpSG9laK/FYcBelXbtRc bnKjIpeQngCByAiiVI/TPaXvN2xadKMo/ld8NhJzt6bmHhMeopYzm6lm5jXhrb5a 5jB8oM2XWTS3+QECU+mB4WXaSoJnvY9WEDsc+FD833JL2cKymGMceQN5cMlaxMMj VBTK7bdBYCI/v9Jzo4bp4vcO/dpQUMrY7/Zv+rng4oEtmvNj2opkvFOM8gdtIjvS UqTfAJ3pffc/ujOVgplHz5ie7dB3TzOG0xCWEGU5XSzf7wlh4JVqnVbKoNTQDbjn l8z6AGVkInG8F36wCDlkCJdj3mpXFvpnZSlS8ugUgaISVSozebh0UItx8rN8YwX3 dZf469EITZI= =MSe3 -----END PGP SIGNATURE-----