—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA512

– ————————————————————————-
Debian Security Advisory DSA-2901-1 security@debian.org
http://www.debian.org/security/ Salvatore Bonaccorso
April 12, 2014 http://www.debian.org/security/faq
– ————————————————————————-

Package : wordpress
CVE ID : CVE-2014-0165 CVE-2014-0166
Debian Bug : 744018

Several vulnerabilities were discovered in WordPress, a web blogging
tool. The Common Vulnerabilities and Exposures project identifies the
following problems:

CVE-2014-0165

A user with a contributor role, using a specially crafted
request, can publish posts, which is reserved for users of the
next-higher role.

CVE-2014-0166

Jon Cave of the WordPress security team discovered that the
wp_validate_auth_cookie function in wp-includes/pluggable.php does
not properly determine the validity of authentication cookies,
allowing a remote attacker to obtain access via a forged cookie.

For the oldstable distribution (squeeze), these problems have been fixed
in version 3.6.1+dfsg-1~deb6u2.

For the stable distribution (wheezy), these problems have been fixed in
version 3.6.1+dfsg-1~deb7u2.

For the testing distribution (jessie), these problems have been fixed in
version 3.8.2+dfsg-1.

For the unstable distribution (sid), these problems have been fixed in
version 3.8.2+dfsg-1.

We recommend that you upgrade your wordpress packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1

iQIcBAEBCgAGBQJTSaAGAAoJEAVMuPMTQ89E16kP/1qPSwTsXOAOcRW0si9TILJQ
dJfqgQNhaUom4c0Z1+OtGVV7i0APlznGFCK2xX3KVyAGP9OWKbc+jiYAkGYmMskh
5+Vk4La4g8qrDQjc3D82q+dW8KgO8oPPCVX6nF5FpPcliMykCs6Zlx+XcGtgBmTM
EnRs2fIA2dVWI/N1gV8+yOrYoU4ixUfWqUdI1qgn5r310JN0pVVYLPD/rwjUmj3w
/m2qM35tK0+cpSpPbN+P0KJSucVGRVvZKsMIJF+lbD9jM59Ig2GWgLFIti76C7Sz
D1kLb9lCUBFB/5qvRa76ljYLG/U1tQHNP8QqDddohHxm+nmyT6lMvFhYOH+TJBh/
Y6xFPaZLsLwQmz2T6z355C8itJhhdclU1gRmnNHHBCWe1LtJi52x8sLhotkSbN6T
nD/K6iv/gwOal4jgHjeLo9vkepbOWI6cZ3uZpxnZScfTS383LIFJ8DijCEnu5FPx
BJAb7HtQyYjCM5BJjzy0bP6b/EyHR49iuQ+WIAFhgiBkBqBON2q+ipGMgPs7EJBN
mc1TfO9IYBBJJYbep4UDho4wOYhzR6308PBm5kRWd6E7D+K5otJkKIsL76iTHDSc
846Mo9bi55jrRHSCMHwzqTKp1bj4PTsAlY//bYTevyye6zSfDxok6951k0qVMFSA
SV9zn6ftutk6v9J25cpr
=ewsD
—–END PGP SIGNATURE—–

—
To UNSUBSCRIBE, email to debian-security-announce-REQUEST@lists.debian.org
with a subject of “unsubscribe”. Trouble? Contact listmaster@lists.debian.org
Archive: https://lists.debian.org/E1WZ4gF-0003Sr-SU@master.debian.org