Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.3139
wordpress security update
14 September 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: wordpress
Publisher: Debian
Operating System: Debian GNU/Linux 9
Impact/Access: Increased Privileges -- Existing Account
Cross-site Scripting -- Existing Account
Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2020-4050 CVE-2020-4049 CVE-2020-4048
CVE-2020-4047 CVE-2019-17670
Reference: ESB-2020.2279
ESB-2020.2188
ESB-2019.4095
Original Bulletin:
https://www.debian.org/lts/security/2020/dla-2371
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian LTS Advisory DLA-2371-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/
September 11, 2020 https://wiki.debian.org/LTS
- - -------------------------------------------------------------------------
Package : wordpress
Version : 4.7.18+dfsg-1+deb9u1
CVE ID : CVE-2019-17670 CVE-2020-4047 CVE-2020-4048 CVE-2020-4049
CVE-2020-4050
Debian Bug : 942459 962685
Multiple vulnerabilities were discovered in Wordpress, a popular
content management framework.
CVE-2019-17670
WordPress has a Server Side Request Forgery (SSRF) vulnerability
because Windows paths are mishandled during certain validation of
relative URLs.
CVE-2020-4047
Authenticated users with upload permissions (like authors) are
able to inject JavaScript into some media file attachment pages in
a certain way. This can lead to script execution in the context of
a higher privileged user when the file is viewed by them.
CVE-2020-4048
Due to an issue in wp_validate_redirect() and URL sanitization, an
arbitrary external link can be crafted leading to unintended/open
redirect when clicked.
CVE-2020-4049
When uploading themes, the name of the theme folder can be crafted
in a way that could lead to JavaScript execution in /wp-admin on
the themes page.
CVE-2020-4050
Misuse of the `set-screen-option` filter's return value allows
arbitrary user meta fields to be saved. It does require an admin
to install a plugin that would misuse the filter. Once installed,
it can be leveraged by low privileged users.
Additionally, this upload ensures latest comments can only be viewed
from public posts, and fixes back the user activation procedure.
For Debian 9 stretch, these problems have been fixed in version
4.7.18+dfsg-1+deb9u1.
We recommend that you upgrade your wordpress packages.
For the detailed security status of wordpress please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/wordpress
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEEQic8GuN/xDR88HkSj/HLbo2JBZ8FAl9biOsACgkQj/HLbo2J
BZ8V4wf/X3WmFd55W0aOBFGIa9thn9+cxH1jPeuZZV7rpV62m4ink1em5exVhTTq
uJxnGLYUJtI/EZJKgC9J5mdHcDK4gewIJhe7qG+8hqpT4eWK2P4CQnRCR79VT/y0
J/s37C1BSXSgIz+XS2DuvCKT0fH65GU6zn4icICT2D479JOc4szX2tpLJGn45COC
+3xfiVLZeGRzy8oHBmDgQGb31mvWccNHYMEn/Hj5jt5zZ97b6q5UVQpO7N+b2GiQ
7aminxrxru8Uwm1gE6J0o9ay1tcawQjlbU08OQRt5K1Nw2BqmlaBTiODUNVO7AVz
iPxnc5bTdl7vr0j4dGubmepB0z2DEg==
=YoV6
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBX17JruNLKJtyKPYoAQi08g/+N8BsPkn6o6rrF+FRwIECgkwVrQy1g0jK
yPAcVozKYfDaJ0eBF5S4QnA3q4ZP5M5prPTtLwYu34hbYVsIcP+0980sxM6gE/j3
Yp3rS4AxKA/q7GL9T1UhhLB+aIInPc7+f9mrqkOmidDMasEeYObPEsM0zvvhSys9
3qeBVN6WWtDfFhpu9k112rr5+Pcvu/V9ZWZ9PRFmTtBcjE87fx5Pvby7/LILiGBa
wiXa3XT78TxveUwiW76PXL7k72Ss+LX4dPJGyqYxL3f0O+Qz8MroIaeC6wQ3k049
08ekEZLUVyPaoBIZIJjPAzbjSQs1WxbajtsVQfHU1qnzgOEGNtom+9/fo1DhT2Ih
+yi/DH/smkY5mNhbQ2YVCmgZ7nsm+kYVYqzi0snAz1Td3FNoGv3FUqJ4O/O/5GkI
vcsv0TshYbjvcSRcYB6QSowiO/WnzupAWoKXDpynf9J9Lfhrcg8Z1zTHo5Paph9e
yRxq7yhA5o1RiUXC76lsXD6W6KMFREO4a4ZZZRK1hxiPlJe8MqzpGR+CCEZp/IPn
XoXxZnNMiUTt6SP2YghC6coilOh+NW4dkNlqGh2RZf7bdb4o6qsmulEpdfjWBUm9
kXsg2kzrhhxduo0W1GlfEMkrplGL94pE/dMb9Lim/PHJcGUzg1DH/DZKENSbE35g
/OVsp34O0dI=
=Iu1v
-----END PGP SIGNATURE-----