-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.1654
                         wordpress security update
                                12 May 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           wordpress
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account            
                   Cross-site Scripting            -- Remote with User Interaction
                   Access Confidential Data        -- Remote with User Interaction
                   Reduced Security                -- Existing Account            
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-11029 CVE-2020-11028 CVE-2020-11027
                   CVE-2020-11026  

Reference:         ESB-2020.1606

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2020/05/msg00011.html

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : wordpress
Version        : 4.1.30+dfsg-0+deb8u1
CVE ID         : CVE-2020-11026 CVE-2020-11027 CVE-2020-11028
                 CVE-2020-11029
Debian Bug     : 959391


Multiple CVE(s) were discovered in the src:wordpress package.

CVE-2020-11026

    Files with a specially crafted name when uploaded to the
    Media section can lead to script execution upon accessing
    the file. This requires an authenticated user with privileges
    to upload files.

CVE-2020-11027

    A password reset link emailed to a user does not expire upon
    changing the user password. Access would be needed to the email
    account of the user by a malicious party for successful execution.

CVE-2020-11028

    Some private posts, which were previously public, can result in
    unauthenticated disclosure under a specific set of conditions.

CVE-2020-11029

    A vulnerability in the stats() method of class-wp-object-cache.php
    can be exploited to execute cross-site scripting (XSS) attacks.

For Debian 8 "Jessie", these problems have been fixed in version
4.1.30+dfsg-0+deb8u1.

We recommend that you upgrade your wordpress packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


Best,
Utkarsh
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAl65Vl0ACgkQgj6WdgbD
S5b3+g/+JP5/nEpFx+4NhWVR3BEvWeViZeFi0T6LujRITUO6A5agZ74qRFHld9UF
fFm40/G7Vpn4Oe4+WAr6yZLdDO3npT4iBBcaPYTQtr0EJGE6/tDf3AvfXdQ3CHsX
uaIZQFRR3H+uyJV4UsFml+NMO+AyrjJMG1Nh8e2Wo2r3WD++gbyZbnjQJ3IZFRkk
+UPCBcmPDTo09y9gF4/jTJ0FpfrzVw53XtppGizEH44OSFtywN8t09xZpDTKOGm5
S8aB2Dr8giIyku2nm5VZJ740nMb/q1RcC3krLJYXXIemvvmzjPb69f9B8aI8Mt6Y
IXYMwmRLsKCW+pRv8TymM9WByhlONUeVqvOv0tfIXiHnJrGaRzfuYmEb4L72msnf
P0OVo0CL8D5QwYe4OwelczXooV0plEpQ2OTn699QtEpPGt28W6TI0yLk9m1wEjUp
Bp/g+R5dFYJCKd7MEEnfDRQjakCmTwRxsaXk29WK6KVPPsdoTDSsIj4MIndy7NzX
fTCLqaY1noku3MtpHiHIYtac6JLmBkPDBMh11bzA0l2Tcnoq+bUNgo6fWQHtP6fO
Kt4CG1f2NcktiRupNw6+wdGMgd6LdX+RG91uxe7mGYQ0N03PtjTqclBi0VR87MVP
/VyOdPnL2YrDDCNPwMJOl/P/V+Ci586ajfdxQbNV8oKduo8ZnKs=
=qwxr
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXrnvy2aOgq3Tt24GAQhidA/+IE63aP9zvMYtVONa7f5U031m+G7ynwj1
NAc+5A//HnQID+Ddl0Zte77W6KC92TDf010ZCiXOjhP/rZVM5cjt2ylWEz9Qb4O8
fEIB9KRpqIhiHgjD9Bsqcht1L2eM2H5dPrRTP2XIRbEgvZdmmL7rbojS9pJ72ucf
hX/0hHnyK1YL5L2cZljs4ONIPRNUOm7nXYqIkJMCJG8N2cDiyqLBZ6zq3LsXcASv
N7hR0HdWSgCJNw9LNtJXDpRicKyKcYczt4fVD9IdYDR/EHbHF3ntuZsDC8QcHbHY
TVhP2rKmvYVwR/Qjvpb1EwerYwuLmKuOhOu7UQZu+M4cgFSVZhG7mgKiwH8UqXJ9
7qrVYFzyyNPSXdSjcY0PBgel1/QHaepPnYI+Eogx5hutfyIZ15x1KTL/mQVN4sZu
rLcELBpzUbjnMOdgVzX1SwUq+Pbiyg4VL7+uIrIVaRoF2NihsozSX7LTHgGCuu9t
BIlnaDYkMfQdCZRlTVCYpZ38Z972mEkBteo+frRU66lzW+3hlDb7Fd2AKE66VbPz
nZToSs/4JApwBmIJovTlG0Bp7zP78WvbijwvS0uGe9yUNnsyiK3q0fyTyroWs6RK
cUk1fpQZgSawUKJBdixYVo6hrq/WMnxDM6tNTObyx0DxrSm1OV7JRfKdeMd4AkEH
PkDAmh1vYrk=
=yVGl
-----END PGP SIGNATURE-----