Debian alert DLA-1673-1 (wordpress)

From:
             
 
Markus Koschany <apo@debian.org> 
To:
             
 
debian-lts-announce@lists.debian.org 
Subject:
             
 
[SECURITY] [DLA 1673-1] wordpress security update 
Date:
             
 
Tue, 12 Feb 2019 00:24:13 +0100
Message-ID:
             
 
<fb77a7d0-6e28-2539-4d8e-190e2311c2a1@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : wordpress
Version        : 4.1.25+dfsg-1+deb8u1
CVE ID         : CVE-2018-20147 CVE-2018-20148 CVE-2018-20149
                 CVE-2018-20150 CVE-2018-20151 CVE-2018-20152
                 CVE-2018-20153
Debian Bug     : 916403


CVE-2018-20147

    Authors could modify metadata to bypass intended restrictions on
    deleting files.

CVE-2018-20148
    Contributors could conduct PHP object injection attacks via crafted
    metadata in a wp.getMediaItem XMLRPC call. This is caused by
    mishandling of serialized data at phar:// URLs in the
    wp_get_attachment_thumb_file function in wp-includes/post.php.

CVE-2018-20149

    When the Apache HTTP Server is used, authors could upload crafted
    files that bypass intended MIME type restrictions, leading to XSS,
    as demonstrated by a .jpg file without JPEG data.

CVE-2018-20150

    Crafted URLs could trigger XSS for certain use cases involving
    plugins.

CVE-2018-20151

    The user-activation page could be read by a search engine's web
    crawler if an unusual configuration were chosen. The search engine
    could then index and display a user's e-mail address and (rarely)
    the password that was generated by default.

CVE-2018-20152

    Authors could bypass intended restrictions on post types via crafted
    input.

CVE-2018-20153

    Contributors could modify new comments made by users with greater
    privileges, possibly causing XSS.


For Debian 8 "Jessie", these problems have been fixed in version
4.1.25+dfsg-1+deb8u1.

We recommend that you upgrade your wordpress packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlxiBBxfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeRlbg//WVVcb7mdSO7b6g90jDXV95AvoCCJzzF5oFlgN9uIrt48Z33s6fPOYIrX
O8dXYh8v/jrwee7JOi1ODAGwXd9taLSflrLG0e/E/dYQxr1YWOq9Hfu+0Iglgvg4
GkiWIoOO/HEdmnsQjNLPEWIutnS5f1ttcmsS652+J4B5ILueHeiqcCWpZj7LmwgL
FFKk34vqCkV3XmEPTFAbd/5V2oHMeN4iM6O6okJUKk70GWP2rUNclHUF8jMz/aeT
qQt1nUhXKTFXJLQJtpPXi+snUBGSVeRFbt5KCviJYCgxfhRG5Lm0Ey7irVUcvX+R
YDXXpzeGb7/b7mFsE22UxvznBBPt8EqE2mAjtICw7TbsthRnhQU9I1gHhlDizPfY
RmQXSUD+dYx0VrDd4oDhtEn3MHYmLwsG/lHJSEHKJRj0bOgHiK8GOgzMa/bbLl0V
esoh2EUkS2uLr+I2nDHGevBh5xTP2m8Yt7jELPhs4l9QrviCAiCnzmAJtZlIPaYC
pm1hbctTG7fYWNxjFWRXENhlavi7NnGXijYCTolcHiR6uv3ni73WC3zfW7NLKaYc
5xIa4TRHYiXHk/wzn5nquexgs9UIVWaBE+ZTHeDVP2FRgEmAkrqOq9tAwBnzFoLz
zzZt0o0ZKcrRn41pyfId0MYQhlGrl2nxxrVHfFITpvcS8N/UcuA=
=vsTl
-----END PGP SIGNATURE-----