Debian alert DSA-2901-3 (wordpress)
| From: | Salvatore Bonaccorso <carnil@debian.org> | |
| To: | debian-security-announce@lists.debian.org | |
| Subject: | [SECURITY] [DSA 2901-3] wordpress regression update | |
| Date: | Mon, 21 Apr 2014 06:06:48 +0000 | |
| Message-ID: | <E1Wc7NQ-0006g8-6B@master.debian.org> |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-2901-3 security@debian.org http://www.debian.org/security/ Salvatore Bonaccorso April 21, 2014 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : wordpress CVE ID : CVE-2014-0165 CVE-2014-0166 Debian Bug : 744018 The update of wordpress in DSA-2901-2 introduced a wrong versioned dependency on libjs-cropper, making the package uninstallable in the oldstable distribution (squeeze). This update corrects that problem. For reference the original advisory text follows. Several vulnerabilities were discovered in Wordpress, a web blogging tool. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2014-0165 A user with a contributor role, using a specially crafted request, can publish posts, which is reserved for users of the next-higher role. CVE-2014-0166 Jon Cave of the WordPress security team discovered that the wp_validate_auth_cookie function in wp-includes/pluggable.php does not properly determine the validity of authentication cookies, allowing a remote attacker to obtain access via a forged cookie. For the oldstable distribution (squeeze), this problem has been fixed in version 3.6.1+dfsg-1~deb6u4. We recommend that you upgrade your wordpress packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJTVLUPAAoJEAVMuPMTQ89EqdwP/3ayqSSOrZAYJSJO4U39wvUz +H9BnPCkXQmqB0jL1nh8VjDC6lm9FFcK+Nm04Kd2Ema1S2pjnmfj/rZ4ektKc2Bx 4gXX7NjfAGUt+cl+9Wl8KdUJ1a+N7jLkkRxNxEItQ9cradxMbsAHZl7+oLBcAjW2 l4Mj6eya8amumDHfVbe7a/+4ex1t6Jslk0EQPCRsDOrbXPHtctvzfX8LxBtfY/XH /ZZhXW6VsGKaZ2AfuM+tilYbPjTMqdvnCL6YrfiGStftdvlywELJw7Hnb1x9p83A E2FGcRsjCVuy2R5zvOcPIqJJG853t8wdRe3z+xfV/tONzUnuywa1GRm/c284d+Yx Gs8nW8+dtujIwSeGdubLwEOBc7HHvhk4/UPQpc3T6ricaupp2k42oLhB5kP3D2e9 fwNTFjULFVzrf7kfA8imroOkOPI5C57UMOTHrjdjzlPFAQC2DiUJx2UTtz/i42Ck HOay7x/0DSe5NrENdrVwZ558Z4PW8NBvrBPOrAXeJhdVzelfbpESaJoiM/lhUm0f T0o8H6dESm6rUlhxLxZoowTtOzg/qeduSdU7mhSGYhKYLplMv5kCGCak3z23UVGK CLWJsKVEf8lxOn/Rzd5z8o/wqrWqLf0uRF0xQrqCCzyplV9cZXNOz/oaIu64Ajo4 r5vIZoPqbIGSopbSOae2 =bnMQ -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-security-announce-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: https://lists.debian.org/E1Wc7NQ-0006g8-6B@master.debian.org