Bug#862816: wordpress: Six security bugs in wordpress 4.7.4 and earlier
On Wed, May 17, 2017 at 09:54:55PM +1000, Craig Small wrote: > Source: wordpress > Version: 4.7.4+dfsg-1 > Severity: grave > Tags: upstream security > Justification: user security hole > > Wordpress 4.7.4 and earlier has 6 security holes that are fixed in > 4.7.5[1] > > * 2.7.0 - 4.7.4 >Insufficient redirect validation in the HTTP class. > * 2.5.0 - 4.7.4 >Improper handling of post meta data values in the XML-RPC API. > * 3.4.0 - 4.7.4 >Lack of capability checks for post meta data in the XML-RPC API. > * 2.5.0 - 4.7.4 >A Cross Site Request Forgery (CRSF) vulnerability was discovered in the >filesystem credentials dialog. > * 3.3 - 4.7.4 >A cross-site scripting (XSS) vulnerability was discovered when >attempting to upload very large files. > * 3.4.0 - 4.6.4 >A cross-site scripting (XSS) vulnerability was discovered related to the >Customizer. > > Looking at the versions, all distributions are vulnerable to all bugs, > yay me! Craig, will this version make it to testing? If that is the case, I'll prepare the jessie backport today. Thanks a lot, Rodrigo
Bug#862816: wordpress: Six security bugs in wordpress 4.7.4 and earlier
Source: wordpress Version: 4.7.4+dfsg-1 Severity: grave Tags: upstream security Justification: user security hole Wordpress 4.7.4 and earlier has 6 security holes that are fixed in 4.7.5[1] * 2.7.0 - 4.7.4 Insufficient redirect validation in the HTTP class. * 2.5.0 - 4.7.4 Improper handling of post meta data values in the XML-RPC API. * 3.4.0 - 4.7.4 Lack of capability checks for post meta data in the XML-RPC API. * 2.5.0 - 4.7.4 A Cross Site Request Forgery (CRSF) vulnerability was discovered in the filesystem credentials dialog. * 3.3 - 4.7.4 A cross-site scripting (XSS) vulnerability was discovered when attempting to upload very large files. * 3.4.0 - 4.6.4 A cross-site scripting (XSS) vulnerability was discovered related to the Customizer. Looking at the versions, all distributions are vulnerable to all bugs, yay me! I'll request the CVEs and update when I get them. 1: https://wordpress.org/news/2017/05/wordpress-4-7-5/ -- System Information: Debian Release: 9.0 APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-2-amd64 (SMP w/6 CPU cores) Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
