-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - ----------------------------------------------------------------------- Debian LTS Advisory DLA-2630-1 debian-...@lists.debian.org https://www.debian.org/lts/security/ Utkarsh Gupta April 21, 2021 https://wiki.debian.org/LTS - -----------------------------------------------------------------------
Package : wordpress Version : 4.7.20+dfsg-1+deb9u1 CVE ID : CVE-2021-29447 CVE-2021-29450 Debian Bug : 987065 CVE-2021-29447 Wordpress is an open source CMS. A user with the ability to upload files (like an Author) can exploit an XML parsing issue in the Media Library leading to XXE attacks. This requires WordPress installation to be using PHP 8. Access to internal files is possible in a successful XXE attack. CVE-2021-29450 Wordpress is an open source CMS. One of the blocks in the WordPress editor can be exploited in a way that exposes password-protected posts and pages. This requires at least contributor privileges. For Debian 9 stretch, these problems have been fixed in version 4.7.20+dfsg-1+deb9u1. We recommend that you upgrade your wordpress packages. For the detailed security status of wordpress please refer to its security tracker page at: https://security-tracker.debian.org/tracker/wordpress Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmB/ygcACgkQgj6WdgbD S5Ye9w/+NVp0yrLUnriCklWCx664pS+vY1BJ7W80Apa28Lgiez43tvkvGXEtCu0e GG5cCs5F76YF/L21/BivBuy8rT1L+IffjVgpiXLRQr9y8hT0obpNgInSB246bPAh N8mmBeeW1E8jPyexdhUNFEnNAVMSTuckysj17GEaiGTVV0t1dQYt1cqW/UWfMvq+ 3MkLnxYPtUzT3wvoI8iK9UzrJfpYKGoNLgUOlqoUyeBhtoQTCfKpMpsvfBpYX+70 8ETS5dVI69tFzP17DaYXOvh8PljRhldqY3nSoOi78Q4KSXiuCaxQCy0YWkt5nqwc VJ4/fUsHbvwGk0Ahu0iwyGaDDJH8rT17FXlqjWgGNv8ISt+EJ0p1ROAoD1/yuGgo QwzOEwPar3w0AnlPHyYRRYbh1E3LgdUQU/VT4ikLn4d9UJsw4fTE9S9GS89T2PSa Ux+0xk9eHZ695AVa57SfBFQNBLuTzZeFfMQObe9aRfJ8xIqsC2ZVJpitiCpTZ1Ri k3oDFpEbhzofo6Faab4UZTNuEti/2VdzS4sSzdLCI0XXZQtOgEkQ29tANFISDuYj 909i4rWFd8lQjt0Ke+7eK6vEVCcjN1J2QEefYvbyqOsMN/m62QKb94zMJTCnczFy GQGz1ju94CaX1sLUUAhOspkzfOZ5pxMtkzi7ykXZcHvtcSEzTaw= =lt9F -----END PGP SIGNATURE-----