Ubuntu
wordpress package

Wordpress package security issue

  1. Trusty (14.04)
  2. Bug #1496825
Bug #1496825 reported by ubuntu-tester
260
This bug affects 2 people
Affects Status Importance Assigned to Milestone
wordpress (Ubuntu)
Fix Released
Undecided
Unassigned
Precise
Won't Fix
Undecided
Unassigned
Trusty
Confirmed
Undecided
Unassigned

Bug Description

Hello Everybody,

"WordPress 4.2.4 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

This release addresses six issues, including three cross-site scripting vulnerabilities and a potential SQL injection that could be used to compromise a site, which were discovered by Marc-Alexandre Montpas of Sucuri, Helen Hou-Sandí of the WordPress security team, Netanel Rubin of Check Point, and Ivan Grigorov. It also includes a fix for a potential timing side-channel attack, discovered by Johannes Schmitt of Scrutinizer, and prevents an attacker from locking a post from being edited, discovered by Mohamed A. Baset."

Source : https://wordpress.org/news/2015/08/wordpress-4-2-4-security-and-maintenance-release/

So, is it possible to check if wordpress packages are vulnerable, and update them ? (Ubuntu 12.04 : wordpress 3.3.1+dfsg-1 0,
Ubuntu 14.04 : wordpress 3.8.2+dfsg-1ubuntu0.1 0, ...)

Thanks. Have a good day !

CVE References

Revision history for this message
ubuntu-tester (ubuntu-tester1) wrote :

New Wordpress security update released :

"WordPress 4.3.1 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

This release addresses three issues, including two cross-site scripting vulnerabilities and a potential privilege escalation.

  - WordPress versions 4.3 and earlier are vulnerable to a cross-site scripting vulnerability when processing shortcode tags (CVE-2015-5714). Reported by Shahar Tal and Netanel Rubin of Check Point.
  - A separate cross-site scripting vulnerability was found in the user list table. Reported by Ben Bidner of the WordPress security team.
  - Finally, in certain cases, users without proper permissions could publish private posts and make them sticky (CVE-2015-5715). Reported by Shahar Tal and Netanel Rubin of Check Point.

Our thanks to those who have practiced responsible disclosure of security issues.

WordPress 4.3.1 also fixes twenty-six bugs. For more information, see the release notes or consult the list of changes."

Source : https://wordpress.org/news/2015/09/wordpress-4-3-1/

Jeremy Bícha (jbicha)
information type: Public → Public Security
Changed in wordpress (Ubuntu):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in wordpress (Ubuntu Precise):
status: New → Confirmed
Changed in wordpress (Ubuntu Trusty):
status: New → Confirmed
Revision history for this message
Steve Langasek (vorlon) wrote :

The Precise Pangolin has reached end of life, so this bug will not be fixed for that release

Changed in wordpress (Ubuntu Precise):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Related questions

Remote bug watches

Bug watches keep track of this bug in other bug trackers.