Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2015.2080.2 wordpress security update 30 October 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: wordpress Publisher: Debian Operating System: Debian GNU/Linux 8 Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Reduced Security -- Remote/Unauthenticated Cross-site Scripting -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2015-5734 CVE-2015-5732 CVE-2015-5731 CVE-2015-5730 CVE-2015-5622 CVE-2015-4730 CVE-2015-2213 Reference: ASB-2015.0077 ESB-2015.2020 Original Bulletin: http://www.debian.org/security/2015/dsa-3332 Revision History: October 30 2015: The patch applied for CVE-2015-5622 in DSA-3332-1 contained a faulty hunk. August 12 2015: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-3332-2 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso October 29, 2015 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : wordpress Debian Bug : 803100 The patch applied for CVE-2015-5622 in DSA-3332-1 contained a faulty hunk. This update corrects that problem. For reference, the relevant part of the original advisory text follows. Several vulnerabilities have been fixed in Wordpress, the popular blogging engine. CVE-2015-5622 The robustness of the shortcodes HTML tags filter has been improved. The parsing is a bit more strict, which may affect your installation. This is the corrected version of the patch that needed to be reverted in DSA 3328-2. For the stable distribution (jessie), this problem has been fixed in version 4.1+dfsg-1+deb8u6. We recommend that you upgrade your wordpress packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJWMmrSAAoJEAVMuPMTQ89Eh5oQAJtVcUyWIvpuBMFUtU98C7wR ByLLS/ZmRobusmK1p6MJHpT/ZKC03VIFR4Rcoz1pYhynnIRJfi29xrZDZMjMox5B fLRhSQgFi9TVAF1CeZfYEJCs3ryMpDurUEdNeRzYZUzCIuhRDh6GJ1l6fuxgMdsG lDLOGzBVX6d/OGmnUhqaHzjaF0TgGoJwXvz1dwShJUNkF0k72mp6Aam/WY5/2Xl7 TJTFwCU1S0Egfnwv7Ry7r2cAOl1RG7cWu6aYxEZb/5HKbvXjSaz2FKZ4r5ISXt9x mtDXqooc8YzG7grOEROP0wU1fvOkV6+fwex6pdf4HImocu6onFH8QUTKG0B3knGQ MbY4JX271Kug5mmH2+qGjVuduj4sAgqjgjsEJo3QBvYpmFkYyWZK7tfH/Vr4tbJc /B+bwOsAquGaMQyYS0oN9vYfGdMXKKRWdNrWw2zjwiiRu+CTq1WUF/s64Y2wemYW DFkbAbeqPsB1s6whZ9f6e7YP9irTF1G+ZPT04Tao68DeMcAIVSMUQQfWbiPBbfNT oF4RaEo5WPAM2MmKVHBFvftf5sJ6EDh2oP9Sj9Jsm3/EZMiAW+Wxh/LImbl150ix uA5X8PmET+cQeTANhi95stSV8dqtD6Toctbb7gqFffU+Efutu7ATmITbatLWMxbc qjarCb4+JW+9n/UNHR45 =SvqH - -----END PGP SIGNATURE----- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-3332-1 security@debian.org https://www.debian.org/security/ Thijs Kinkhorst August 11, 2015 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : wordpress CVE ID : CVE-2015-2213 CVE-2015-5622 CVE-2015-5730 CVE-2015-5731 CVE-2015-5732 CVE-2015-5734 Debian Bug : 794548 794560 Several vulnerabilities have been fixed in Wordpress, the popular blogging engine. CVE-2015-2213 SQL Injection allowed a remote attacker to compromise the site. CVE-2015-5622 The robustness of the shortcodes HTML tags filter has been improved. The parsing is a bit more strict, which may affect your installation. This is the corrected version of the patch that needed to be reverted in DSA 3328-2. CVE-2015-4730 A potential timing side-channel attack in widgets. CVE-2015-5731 An attacker could lock a post that was being edited. CVE-2015-5732 Cross site scripting in a widget title allows an attacker to steal sensitive information. CVE-2015-5734 Fix some broken links in the legacy theme preview. The issues were discovered by Marc-Alexandre Montpas of Sucuri, Helen Hou-Sandàof the WordPress security team, Netanel Rubin of Check Point, Ivan Grigorov, Johannes Schmitt of Scrutinizer and Mohamed A. Baset. For the stable distribution (jessie), these problems have been fixed in version 4.1+dfsg-1+deb8u4. For the unstable distribution (sid), these problems have been fixed in version 4.2.4+dfsg-1. We recommend that you upgrade your wordpress packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJVylLuAAoJEFb2GnlAHawEYZcH+wYhmzviQqvT3UyFGW6YVg7R Xw0usIm12p1/bOPO+ReBycnfhjebD6/xyJpKGtPFzKTvH7C7aUStRuL12OCOOgsJ W6mP1N5mWH4+As9gTurLAyOogGvnyAzksjLboekAJ33bkEMdCSsmC/jSi44x677w Pw10qmvA/rocKvsn1KCBCJKYr9rcrZ0S80rpE88309xxKOG+xL+5PvXQEs0FhzLk uhcZXro2IMQ07/tiQVzcJTyZvYUjQ+UDPoUiDdtsfHz/d7HbO5iP3qkIa0y0cBSc OdeleqZ7cV8QuMZSEHwkNYXZGmndJb3m+ooCf96kGcTZq5BqsUrXjXbzTFy9xlM= =i7sr - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVjK4ln6ZAP0PgtI9AQIp7hAAgWW/HccSXvCVHF91yRDnEceMYbJ76xKY pYFQ3FwIUyFl+178HChQfZXAqw1vNp3V05/k+dO/IDGQepGVy/e2xI55SDfhdfr0 UPiVjE5Jj+azuDrsrB3cXvruj7sOWMVI8nu1Ay/XgJnE0GB3zO1s9S2wqCko0g3Z YmakMB/xJMyhfrjRbiG+YQK3wO7+HqDg3ANH2kR6T61om7DYDYSA2uFWv52BUj3P NYTUtbnCgdLMGPbwmxVEQcl2mqiUS2rq2vr1cKMwnXu4oD4R8omcp8i4arGPqP3L S8DhyoA3rL81UXgrfvhnEP13Z6pXs6ffq+HxT4qj/YqI2qhCWyzE2fgys2MMg1IW cFZyW9qPefR+K+56H7B77jPE3DDl0omBsIcu2ldmFPho07p3WKr3YraJqIfyLoXw A4YkmyR3ILedprA3DQsY8Irz7X5+ImRUyGLx1CCrmCsdhSMgJj1bttDnJXTHc3iw 6WVdy71k96C/UD4IIKpIM4Xat9j4eccy2tSXGdW9/tKrqi+Z7P/a8kkqTst+r7Gw CbXEV7bniRrBv2XOSmt47XsbiG5d8nr5U6BZgu+rU95HcVLqHGok209vgcFrvKvy jAtPbLWb6XlHMbUVY4YdFNQ39gGRslB1yhnXv+U6S6pqw1fJhuwFQVSZtAEAyGY4 /58nG4rnllA= =ccTF -----END PGP SIGNATURE-----