|
|
Subscribe / Log in / New account

Mageia alert MGASA-2014-0493 (wordpress)



From:
    	      Mageia Updates <buildsystem-daemon@mageia.org> 


To:
    	      updates-announce@ml.mageia.org 


Subject:
    	      [updates-announce] MGASA-2014-0493: Updated wordpress package fixes security vulnerabilities 


Date:
    	      Wed, 26 Nov 2014 18:29:34 +0100


Message-ID:
    	      <20141126172934.13C565A018@valstar.mageia.org>


MGASA-2014-0493 - Updated wordpress package fixes security vulnerabilities

Publication date: 26 Nov 2014
URL: http://advisories.mageia.org/MGASA-2014-0493.html
Type: security
Affected Mageia releases: 3, 4
CVE: CVE-2014-9031,
     CVE-2014-9032,
     CVE-2014-9033,
     CVE-2014-9034,
     CVE-2014-9035,
     CVE-2014-9036,
     CVE-2014-9037,
     CVE-2014-9038,
     CVE-2014-9039

Description:
XSS in wptexturize() via comments or posts, exploitable for unauthenticated users (CVE-2014-9031).

XSS in media playlists (CVE-2014-9032).

CSRF in the password reset process (CVE-2014-9033).

Denial of service for giant passwords. The phpass library by Solar Designer
was used in both projects without setting a maximum password length, which
can lead to CPU exhaustion upon hashing (CVE-2014-9034).

XSS in Press This (CVE-2014-9035).

XSS in HTML filtering of CSS in posts (CVE-2014-9036).

Hash comparison vulnerability in old-style MD5-stored passwords
(CVE-2014-9037).

SSRF: Safe HTTP requests did not sufficiently block the loopback IP address
space (CVE-2014-9038).

Previously an email address change would not invalidate a previous password
reset email (CVE-2014-9039).

References:
- https://bugs.mageia.org/show_bug.cgi?id=14625
- https://wordpress.org/news/2014/11/wordpress-4-0-1/
- http://openwall.com/lists/oss-security/2014/11/25/12
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9031
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9032
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9033
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9034
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9035
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9036
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9037
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9038
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9039

SRPMS:
- 4/core/wordpress-3.9.3-1.mga4
- 3/core/wordpress-3.9.3-1.mga3
to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds