Updated wordpress package fixes security vulnerabilities
Publication date: 26 Nov 2014Modification date: 26 Nov 2014
Type: security
Affected Mageia releases : 3 , 4
CVE: CVE-2014-9031 , CVE-2014-9032 , CVE-2014-9033 , CVE-2014-9034 , CVE-2014-9035 , CVE-2014-9036 , CVE-2014-9037 , CVE-2014-9038 , CVE-2014-9039
Description
XSS in wptexturize() via comments or posts, exploitable for unauthenticated users (CVE-2014-9031).
XSS in media playlists (CVE-2014-9032).
CSRF in the password reset process (CVE-2014-9033).
Denial of service for giant passwords. The phpass library by Solar Designer
was used in both projects without setting a maximum password length, which
can lead to CPU exhaustion upon hashing (CVE-2014-9034).
XSS in Press This (CVE-2014-9035).
XSS in HTML filtering of CSS in posts (CVE-2014-9036).
Hash comparison vulnerability in old-style MD5-stored passwords
(CVE-2014-9037).
SSRF: Safe HTTP requests did not sufficiently block the loopback IP address
space (CVE-2014-9038).
Previously an email address change would not invalidate a previous password
reset email (CVE-2014-9039).
References
- https://bugs.mageia.org/show_bug.cgi?id=14625
- https://wordpress.org/news/2014/11/wordpress-4-0-1/
- http://openwall.com/lists/oss-security/2014/11/25/12
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9031
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9032
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9033
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9034
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9035
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9036
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9037
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9038
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9039
SRPMS
3/core
- wordpress-3.9.3-1.mga3
4/core
- wordpress-3.9.3-1.mga4