Security Information / 2015 / Security Information -- DSA-3250-1 wordpress

Debian Security Advisory

DSA-3250-1 wordpress -- security update

Date Reported:

04 May 2015

Affected Packages:

wordpress

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 783347, Bug 783554.
In Mitre's CVE dictionary: CVE-2015-3438, CVE-2015-3439, CVE-2015-3440.

More information:

Multiple security issues have been discovered in Wordpress, a weblog manager, that could allow remote attackers to upload files with invalid or unsafe names, mount social engineering attacks or compromise a site via cross-site scripting, and inject SQL commands.

More information can be found in the upstream advisories at https://wordpress.org/news/2015/04/wordpress-4-1-2/ and https://wordpress.org/news/2015/04/wordpress-4-2-1/

For the oldstable distribution (wheezy), these problems have been fixed in version 3.6.1+dfsg-1~deb7u6.

For the stable distribution (jessie), these problems have been fixed in version 4.1+dfsg-1+deb8u1.

For the testing distribution (stretch), these problems have been fixed in version 4.2.1+dfsg-1.

For the unstable distribution (sid), these problems have been fixed in version 4.2.1+dfsg-1.

We recommend that you upgrade your wordpress packages.