Operating System:

[Debian]

Published:

30 October 2015

Protect yourself against future threats.

//Service

Member Security Incident Notifications

Be proactive with your security and receive our daily Member Security Incident Notifications (MSINs) custom to your network.

Read more
Resources > Security Bulletins > ESB-2015.2080.2 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2015.2080.2
                         wordpress security update
                              30 October 2015

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           wordpress
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated      
                   Reduced Security                -- Remote/Unauthenticated      
                   Cross-site Scripting            -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2015-5734 CVE-2015-5732 CVE-2015-5731
                   CVE-2015-5730 CVE-2015-5622 CVE-2015-4730
                   CVE-2015-2213  

Reference:         ASB-2015.0077
                   ESB-2015.2020

Original Bulletin: 
   http://www.debian.org/security/2015/dsa-3332

Revision History:  October 30 2015: The patch applied for CVE-2015-5622 in 
				    DSA-3332-1 contained a faulty hunk.
                   August  12 2015: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3332-2                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
October 29, 2015                      https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : wordpress
Debian Bug     : 803100

The patch applied for CVE-2015-5622 in DSA-3332-1 contained a faulty
hunk. This update corrects that problem. For reference, the relevant
part of the original advisory text follows.

Several vulnerabilities have been fixed in Wordpress, the popular
blogging engine.

CVE-2015-5622

    The robustness of the shortcodes HTML tags filter has been
    improved. The parsing is a bit more strict, which may affect
    your installation. This is the corrected version of the patch
    that needed to be reverted in DSA 3328-2.

For the stable distribution (jessie), this problem has been fixed in
version 4.1+dfsg-1+deb8u6.

We recommend that you upgrade your wordpress packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJWMmrSAAoJEAVMuPMTQ89Eh5oQAJtVcUyWIvpuBMFUtU98C7wR
ByLLS/ZmRobusmK1p6MJHpT/ZKC03VIFR4Rcoz1pYhynnIRJfi29xrZDZMjMox5B
fLRhSQgFi9TVAF1CeZfYEJCs3ryMpDurUEdNeRzYZUzCIuhRDh6GJ1l6fuxgMdsG
lDLOGzBVX6d/OGmnUhqaHzjaF0TgGoJwXvz1dwShJUNkF0k72mp6Aam/WY5/2Xl7
TJTFwCU1S0Egfnwv7Ry7r2cAOl1RG7cWu6aYxEZb/5HKbvXjSaz2FKZ4r5ISXt9x
mtDXqooc8YzG7grOEROP0wU1fvOkV6+fwex6pdf4HImocu6onFH8QUTKG0B3knGQ
MbY4JX271Kug5mmH2+qGjVuduj4sAgqjgjsEJo3QBvYpmFkYyWZK7tfH/Vr4tbJc
/B+bwOsAquGaMQyYS0oN9vYfGdMXKKRWdNrWw2zjwiiRu+CTq1WUF/s64Y2wemYW
DFkbAbeqPsB1s6whZ9f6e7YP9irTF1G+ZPT04Tao68DeMcAIVSMUQQfWbiPBbfNT
oF4RaEo5WPAM2MmKVHBFvftf5sJ6EDh2oP9Sj9Jsm3/EZMiAW+Wxh/LImbl150ix
uA5X8PmET+cQeTANhi95stSV8dqtD6Toctbb7gqFffU+Efutu7ATmITbatLWMxbc
qjarCb4+JW+9n/UNHR45
=SvqH
- -----END PGP SIGNATURE-----

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3332-1                   security@debian.org
https://www.debian.org/security/                          Thijs Kinkhorst
August 11, 2015                       https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : wordpress
CVE ID         : CVE-2015-2213 CVE-2015-5622 CVE-2015-5730 CVE-2015-5731 
                 CVE-2015-5732 CVE-2015-5734
Debian Bug     : 794548 794560

Several vulnerabilities have been fixed in Wordpress, the popular
blogging engine.

CVE-2015-2213

    SQL Injection allowed a remote attacker to compromise the site.

CVE-2015-5622

    The robustness of the shortcodes HTML tags filter has been
    improved. The parsing is a bit more strict, which may affect
    your installation. This is the corrected version of the patch
    that needed to be reverted in DSA 3328-2.

CVE-2015-4730

    A potential timing side-channel attack in widgets.

CVE-2015-5731

    An attacker could lock a post that was being edited.

CVE-2015-5732

    Cross site scripting in a widget title allows an attacker to
    steal sensitive information.

CVE-2015-5734

    Fix some broken links in the legacy theme preview.

The issues were discovered by Marc-Alexandre Montpas of Sucuri,
Helen Hou-Sandí of the WordPress security team, Netanel Rubin of Check Point,
Ivan Grigorov, Johannes Schmitt of Scrutinizer and Mohamed A. Baset.

For the stable distribution (jessie), these problems have been fixed in
version 4.1+dfsg-1+deb8u4.

For the unstable distribution (sid), these problems have been fixed in
version 4.2.4+dfsg-1.

We recommend that you upgrade your wordpress packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJVylLuAAoJEFb2GnlAHawEYZcH+wYhmzviQqvT3UyFGW6YVg7R
Xw0usIm12p1/bOPO+ReBycnfhjebD6/xyJpKGtPFzKTvH7C7aUStRuL12OCOOgsJ
W6mP1N5mWH4+As9gTurLAyOogGvnyAzksjLboekAJ33bkEMdCSsmC/jSi44x677w
Pw10qmvA/rocKvsn1KCBCJKYr9rcrZ0S80rpE88309xxKOG+xL+5PvXQEs0FhzLk
uhcZXro2IMQ07/tiQVzcJTyZvYUjQ+UDPoUiDdtsfHz/d7HbO5iP3qkIa0y0cBSc
OdeleqZ7cV8QuMZSEHwkNYXZGmndJb3m+ooCf96kGcTZq5BqsUrXjXbzTFy9xlM=
=i7sr
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVjK4ln6ZAP0PgtI9AQIp7hAAgWW/HccSXvCVHF91yRDnEceMYbJ76xKY
pYFQ3FwIUyFl+178HChQfZXAqw1vNp3V05/k+dO/IDGQepGVy/e2xI55SDfhdfr0
UPiVjE5Jj+azuDrsrB3cXvruj7sOWMVI8nu1Ay/XgJnE0GB3zO1s9S2wqCko0g3Z
YmakMB/xJMyhfrjRbiG+YQK3wO7+HqDg3ANH2kR6T61om7DYDYSA2uFWv52BUj3P
NYTUtbnCgdLMGPbwmxVEQcl2mqiUS2rq2vr1cKMwnXu4oD4R8omcp8i4arGPqP3L
S8DhyoA3rL81UXgrfvhnEP13Z6pXs6ffq+HxT4qj/YqI2qhCWyzE2fgys2MMg1IW
cFZyW9qPefR+K+56H7B77jPE3DDl0omBsIcu2ldmFPho07p3WKr3YraJqIfyLoXw
A4YkmyR3ILedprA3DQsY8Irz7X5+ImRUyGLx1CCrmCsdhSMgJj1bttDnJXTHc3iw
6WVdy71k96C/UD4IIKpIM4Xat9j4eccy2tSXGdW9/tKrqi+Z7P/a8kkqTst+r7Gw
CbXEV7bniRrBv2XOSmt47XsbiG5d8nr5U6BZgu+rU95HcVLqHGok209vgcFrvKvy
jAtPbLWb6XlHMbUVY4YdFNQ39gGRslB1yhnXv+U6S6pqw1fJhuwFQVSZtAEAyGY4
/58nG4rnllA=
=ccTF
-----END PGP SIGNATURE-----