ESB-2018.2193 - [Debian] wordpress: Multiple vulnerabilities 2018-07-30

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.2193
                         wordpress security update
                               30 July 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           wordpress
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account      
                   Denial of Service               -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-12895 CVE-2016-5836 

Reference:         ESB-2018.2095

Original Bulletin: 
   https://security-tracker.debian.org/tracker/DLA-1452-1

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : wordpress
Version        : 4.1+dfsg-1+deb8u18
CVE ID         : CVE-2016-5836 CVE-2018-12895
Debian Bug     : 902876

Two vulnerabilities were discovered in wordpress, a web blogging
tool. The Common Vulnerabilities and Exposures project identifies the
following issues.

CVE-2016-5836

    The oEmbed protocol implementation in WordPress before 4.5.3 allows
    remote attackers to cause a denial of service via unspecified
    vectors.

CVE-2018-12895

    A vulnerability was discovered in Wordpress, a web blogging tool. It
    allowed remote attackers with specific roles to execute arbitrary
    code.

For Debian 8 "Jessie", these problems have been fixed in version
4.1+dfsg-1+deb8u18.

We recommend that you upgrade your wordpress packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlteWY9fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeRx+xAApfD3DDHlrNcunY1A8HWrPW+NmCU48Qu00o/zAH+Qzi+UL5ErDSEP+buX
GPTghkJN70WuGRUGNQlJ2ruJKJ2YR4xyfCfI8Q03rgP0gOZS33aAx3xKYMeL4vGc
A1WnxFUw4FBYzJjmGptE3TMKjIyWlOjstzhk59DISFzVbJI5ulBrPoaAJJEAPFmj
+rTRTo1T3bFxWxbyL57TL6ktvqEuU2bMZcLBwOsbVlNVPvBnvBk0BAEa0jjTlD05
RE6lEOB3E4XH8L6fSCGQ4YiRHeuu1gKUX1Jx3Xknl+edrS477mjNOo5A7Md0hx6l
1vvfL8vNNX1c2gQUNyLzX1FxFbRsxkkAQDOjv//vw/oiIpTyIHhSn3M9M+4Q81MM
oyl8gL6Tmhtnx0mwwyW1HC1DOnNKt1P2htC0X60EMJSFmySlILS5zuLmvVIxM55D
JvnyHC73r3xSkos4kF1bOXxs65Gg3GotHKNX2yb1T/1F1LrCtQvMJwEIFM+0ZK5L
hzi+JSny+rlZh2CHoxXvyeka/zkpC9WE2QlXui7eTvBTV6XKPNt/quJK7wGH6ple
SegmqoZaRHGF1cF35owHzJPfpYNWPKoHWSMjmZvClNNDiKVZylYM0VIk/eZGIkYT
VBgKag7MFlDCQK1FXTvseNhfGZCzh03d41M75y9XXB5r0Ve9gLY=
=cVfl
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW15olGaOgq3Tt24GAQhkwg//csTOV1tKG/Xq1nhozU/u9A0/D56Asy98
q+Srbm5YdxpvMLUl4urpRFXUAgciMIor+k1L2v58ShSJpEufUnkK5TRKA2ECbzDe
ok4Fr5W/B/4AY0V/G+y9wf0590kG3wlCf7+yLG1LdlpIFeVa0fx/PuKKXChy5nba
KXeAYRFLPhzcbTF6jx/wcmSlbypPQGT7PlsceUjlr8MSZrDHDyXY+cSiOwNDnYfB
XCXuWLG059Of7C2wqCfUUVCeuKTl/WKHrWMjWsI59Qyba4DRf+bJiK/xxF8isWVr
xOXih/XkjmT+nCEdFz5a0ALXHbMaksGwXyvPA198F+vo/yhPwqXVxAl0la1aMdEs
ncXXeZjqat2XdQPjZVISxX9HDZFe54nZePpPUHSdr+Pq//EWo95l5T/QN7GlSYLn
X8/r9HUNIJg3waJy4wdBHHSzJ4hatc33NJDJAfIwF8eFW4AMpxfKaXn122YAmn/G
38szmQ3fNmzqmAyPQSbMvfrlnpGDfS8S1A3ltcxAmrU4KmG32nxchrzaaTbrll6t
EqMgHGQiz+1rZ9dw4hrRAHgHTJP7nMXcWs7dPoklUb6aXvBr15wFC3HJt/z+S5sD
c0IfrDGhj+758sAeMKS68gYld0Pj/wncufVwFP70jlQwcCPKWNktvshtDos7CNJ2
N396KO87Ebo=
=Yoex
-----END PGP SIGNATURE-----

« Back to bulletins