blob: a62e40fde211cc7231d3e6284e728c0a45fcbe45 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
|
<define-tag description>LTS security update</define-tag>
<define-tag moreinfo>
<p>Several vulnerabilities were discovered in wordpress, a web blogging
tool. The Common Vulnerabilities and Exposures project identifies the
following issues.</p>
<ul>
<li><a href="https://security-tracker.debian.org/tracker/CVE-2015-8834">CVE-2015-8834</a>
<p>Cross-site scripting (XSS) vulnerability in wp-includes/wp-db.php in
WordPress before 4.2.2 allows remote attackers to inject arbitrary
web script or HTML via a long comment that is improperly stored
because of limitations on the MySQL TEXT data type.
NOTE: this vulnerability exists because of an incomplete fix for
<a href="https://security-tracker.debian.org/tracker/CVE-2015-3440">CVE-2015-3440</a></p></li>
<li><a href="https://security-tracker.debian.org/tracker/CVE-2016-4029">CVE-2016-4029</a>
<p>WordPress before 4.5 does not consider octal and hexadecimal IP
address formats when determining an intranet address, which allows
remote attackers to bypass an intended SSRF protection mechanism
via a crafted address.</p></li>
<li><a href="https://security-tracker.debian.org/tracker/CVE-2016-5836">CVE-2016-5836</a>
<p>The oEmbed protocol implementation in WordPress before 4.5.3 allows
remote attackers to cause a denial of service via unspecified
vectors.</p></li>
<li><a href="https://security-tracker.debian.org/tracker/CVE-2016-6634">CVE-2016-6634</a>
<p>Cross-site scripting (XSS) vulnerability in the network settings
page in WordPress before 4.5 allows remote attackers to inject
arbitrary web script or HTML via unspecified vectors.</p></li>
<li><a href="https://security-tracker.debian.org/tracker/CVE-2016-6635">CVE-2016-6635</a>
<p>Cross-site request forgery (CSRF) vulnerability in the
wp_ajax_wp_compression_test function in wp-admin/includes/ajaxactions.php
in WordPress before 4.5 allows remote attackers to
hijack the authentication of administrators for requests that
change the script compression option.</p></li>
<li><a href="https://security-tracker.debian.org/tracker/CVE-2016-7168">CVE-2016-7168</a>
<p>Fix a cross-site scripting vulnerability via image filename.</p></li>
<li><a href="https://security-tracker.debian.org/tracker/CVE-2016-7169">CVE-2016-7169</a>
<p>Fix a path traversal vulnerability in the upgrade package uploader.</p></li>
</ul>
<p>For Debian 7 <q>Wheezy</q>, these problems have been fixed in version
3.6.1+dfsg-1~deb7u12.</p>
<p>We recommend that you upgrade your wordpress packages.</p>
<p>Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: <a href="https://wiki.debian.org/LTS">https://wiki.debian.org/LTS</a></p>
</define-tag>
# do not modify the following line
#include "$(ENGLISHDIR)/lts/security/2016/dla-633.data"
# $Id: $
|