Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.1654 wordpress security update 12 May 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: wordpress Publisher: Debian Operating System: Debian GNU/Linux 8 Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Cross-site Scripting -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Reduced Security -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2020-11029 CVE-2020-11028 CVE-2020-11027 CVE-2020-11026 Reference: ESB-2020.1606 Original Bulletin: https://lists.debian.org/debian-lts-announce/2020/05/msg00011.html - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Package : wordpress Version : 4.1.30+dfsg-0+deb8u1 CVE ID : CVE-2020-11026 CVE-2020-11027 CVE-2020-11028 CVE-2020-11029 Debian Bug : 959391 Multiple CVE(s) were discovered in the src:wordpress package. CVE-2020-11026 Files with a specially crafted name when uploaded to the Media section can lead to script execution upon accessing the file. This requires an authenticated user with privileges to upload files. CVE-2020-11027 A password reset link emailed to a user does not expire upon changing the user password. Access would be needed to the email account of the user by a malicious party for successful execution. CVE-2020-11028 Some private posts, which were previously public, can result in unauthenticated disclosure under a specific set of conditions. CVE-2020-11029 A vulnerability in the stats() method of class-wp-object-cache.php can be exploited to execute cross-site scripting (XSS) attacks. For Debian 8 "Jessie", these problems have been fixed in version 4.1.30+dfsg-0+deb8u1. We recommend that you upgrade your wordpress packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS Best, Utkarsh - -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAl65Vl0ACgkQgj6WdgbD S5b3+g/+JP5/nEpFx+4NhWVR3BEvWeViZeFi0T6LujRITUO6A5agZ74qRFHld9UF fFm40/G7Vpn4Oe4+WAr6yZLdDO3npT4iBBcaPYTQtr0EJGE6/tDf3AvfXdQ3CHsX uaIZQFRR3H+uyJV4UsFml+NMO+AyrjJMG1Nh8e2Wo2r3WD++gbyZbnjQJ3IZFRkk +UPCBcmPDTo09y9gF4/jTJ0FpfrzVw53XtppGizEH44OSFtywN8t09xZpDTKOGm5 S8aB2Dr8giIyku2nm5VZJ740nMb/q1RcC3krLJYXXIemvvmzjPb69f9B8aI8Mt6Y IXYMwmRLsKCW+pRv8TymM9WByhlONUeVqvOv0tfIXiHnJrGaRzfuYmEb4L72msnf P0OVo0CL8D5QwYe4OwelczXooV0plEpQ2OTn699QtEpPGt28W6TI0yLk9m1wEjUp Bp/g+R5dFYJCKd7MEEnfDRQjakCmTwRxsaXk29WK6KVPPsdoTDSsIj4MIndy7NzX fTCLqaY1noku3MtpHiHIYtac6JLmBkPDBMh11bzA0l2Tcnoq+bUNgo6fWQHtP6fO Kt4CG1f2NcktiRupNw6+wdGMgd6LdX+RG91uxe7mGYQ0N03PtjTqclBi0VR87MVP /VyOdPnL2YrDDCNPwMJOl/P/V+Ci586ajfdxQbNV8oKduo8ZnKs= =qwxr - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXrnvy2aOgq3Tt24GAQhidA/+IE63aP9zvMYtVONa7f5U031m+G7ynwj1 NAc+5A//HnQID+Ddl0Zte77W6KC92TDf010ZCiXOjhP/rZVM5cjt2ylWEz9Qb4O8 fEIB9KRpqIhiHgjD9Bsqcht1L2eM2H5dPrRTP2XIRbEgvZdmmL7rbojS9pJ72ucf hX/0hHnyK1YL5L2cZljs4ONIPRNUOm7nXYqIkJMCJG8N2cDiyqLBZ6zq3LsXcASv N7hR0HdWSgCJNw9LNtJXDpRicKyKcYczt4fVD9IdYDR/EHbHF3ntuZsDC8QcHbHY TVhP2rKmvYVwR/Qjvpb1EwerYwuLmKuOhOu7UQZu+M4cgFSVZhG7mgKiwH8UqXJ9 7qrVYFzyyNPSXdSjcY0PBgel1/QHaepPnYI+Eogx5hutfyIZ15x1KTL/mQVN4sZu rLcELBpzUbjnMOdgVzX1SwUq+Pbiyg4VL7+uIrIVaRoF2NihsozSX7LTHgGCuu9t BIlnaDYkMfQdCZRlTVCYpZ38Z972mEkBteo+frRU66lzW+3hlDb7Fd2AKE66VbPz nZToSs/4JApwBmIJovTlG0Bp7zP78WvbijwvS0uGe9yUNnsyiK3q0fyTyroWs6RK cUk1fpQZgSawUKJBdixYVo6hrq/WMnxDM6tNTObyx0DxrSm1OV7JRfKdeMd4AkEH PkDAmh1vYrk= =yVGl -----END PGP SIGNATURE-----