[BSA-114] Security update for wordpress

2017-01-2307:39:04

lists.debian.org

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

Confidence

Low

EPSS

0.967

Percentile

99.7%

JSON

Craig Small <[email protected]> uploaded new packages for wordpress
which fixed the following security problems:

CVE-2016-10066, CVE-2016-10045
Potential Remote Command Execution (RCE) in PHPMailer
CVE-2017-5488
Authenticated Cross-Site scripting (XSS) in update-core.php
CVE-2017-5490
Stored Cross-Site Scripting (XSS) via Theme Name fallback
CVE-2017-5491
Post via Email Checks mail.example.com by Default
CVE-2017-5492
Accessibility Mode Cross-Site Request Forgery (CSRF)
CVE-2017-5493
Cryptographically Weak Pseudo-Random Number Generator
CVE-2017-5487
User Information Disclosure via REST API - API doesn't exist
CVE-2017-5489
Cross-Site Request Forgery (CSRF) via Flash Upload

For the jessie-backports distribution the problems have been fixed in
version 4.7.1+dfsg-1~bpo8+1
Attachment:
signature.asc
Description: PGP signature

OSVersionArchitecturePackageVersionFilename
Debian7armhfperlmagick< 8:6.7.7.10-5+deb7u10perlmagick_8:6.7.7.10-5+deb7u10_armhf.deb
Debian7armellibmagickwand-dev< 8:6.7.7.10-5+deb7u10libmagickwand-dev_8:6.7.7.10-5+deb7u10_armel.deb
Debian8i386imagemagick-dbg< 8:6.8.9.9-5+deb8u6imagemagick-dbg_8:6.8.9.9-5+deb8u6_i386.deb
Debian8s390xlibmagick++-6.q16-5< 8:6.8.9.9-5+deb8u6libmagick++-6.q16-5_8:6.8.9.9-5+deb8u6_s390x.deb
Debian8amd64libmagickcore-6.q16-2< 8:6.8.9.9-5+deb8u6libmagickcore-6.q16-2_8:6.8.9.9-5+deb8u6_amd64.deb
Debian8mipsellibimage-magick-q16-perl< 8:6.8.9.9-5+deb8u6libimage-magick-q16-perl_8:6.8.9.9-5+deb8u6_mipsel.deb
Debian8i386libmagickcore-6-arch-config< 8:6.8.9.9-5+deb8u6libmagickcore-6-arch-config_8:6.8.9.9-5+deb8u6_i386.deb
Debian8arm64libmagickwand-6.q16-2< 8:6.8.9.9-5+deb8u6libmagickwand-6.q16-2_8:6.8.9.9-5+deb8u6_arm64.deb
Debian7i386perlmagick< 8:6.7.7.10-5+deb7u10perlmagick_8:6.7.7.10-5+deb7u10_i386.deb
Debian8mipslibmagick++-6.q16-5< 8:6.8.9.9-5+deb8u6libmagick++-6.q16-5_8:6.8.9.9-5+deb8u6_mips.deb

OS	Version	Architecture	Package	Version	Filename
Debian	7	armhf	perlmagick	< 8:6.7.7.10-5+deb7u10	perlmagick_8:6.7.7.10-5+deb7u10_armhf.deb
Debian	7	armel	libmagickwand-dev	< 8:6.7.7.10-5+deb7u10	libmagickwand-dev_8:6.7.7.10-5+deb7u10_armel.deb
Debian	8	i386	imagemagick-dbg	< 8:6.8.9.9-5+deb8u6	imagemagick-dbg_8:6.8.9.9-5+deb8u6_i386.deb
Debian	8	s390x	libmagick++-6.q16-5	< 8:6.8.9.9-5+deb8u6	libmagick++-6.q16-5_8:6.8.9.9-5+deb8u6_s390x.deb
Debian	8	amd64	libmagickcore-6.q16-2	< 8:6.8.9.9-5+deb8u6	libmagickcore-6.q16-2_8:6.8.9.9-5+deb8u6_amd64.deb
Debian	8	mipsel	libimage-magick-q16-perl	< 8:6.8.9.9-5+deb8u6	libimage-magick-q16-perl_8:6.8.9.9-5+deb8u6_mipsel.deb
Debian	8	i386	libmagickcore-6-arch-config	< 8:6.8.9.9-5+deb8u6	libmagickcore-6-arch-config_8:6.8.9.9-5+deb8u6_i386.deb
Debian	8	arm64	libmagickwand-6.q16-2	< 8:6.8.9.9-5+deb8u6	libmagickwand-6.q16-2_8:6.8.9.9-5+deb8u6_arm64.deb
Debian	7	i386	perlmagick	< 8:6.7.7.10-5+deb7u10	perlmagick_8:6.7.7.10-5+deb7u10_i386.deb
Debian	8	mips	libmagick++-6.q16-5	< 8:6.8.9.9-5+deb8u6	libmagick++-6.q16-5_8:6.8.9.9-5+deb8u6_mips.deb