[Secure-testing-team] Bug#857026: wordpress: 4.7.3 security release
Craig Small
csmall at debian.org
Tue Mar 7 10:30:05 UTC 2017
Source: wordpress
Version: 4.7.2
Severity: grave
Tags: upstream security
Justification: user security hole
There are six security issues with wordpress 4.7.2 that wordpress 4.7.3
fixes.
* Cross-site scripting (XSS) via media file metadata. Reported by Chris Andrè Dale, Yorick Koster, and Simon P. Briggs.
3.6.0 - 4.7.2
https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7
* Control characters can trick redirect URL validation. Reported by Daniel Chatfield.
2.8.1 - 4.7.2
https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e
* Unintended files can be deleted by administrators using the plugin deletion functionality. Reported by xuliang.
4.7.0 - 4.7.2
https://github.com/WordPress/WordPress/commit/4d80f8b3e1b00a3edcee0774dc9c2f4c78f9e663
* Cross-site scripting (XSS) via video URL in YouTube embeds. Reported by Marc Montpas.
4.0 - 4.7.2
https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8
* Cross-site scripting (XSS) via taxonomy term names. Reported by Delta.
4.7 - 4.7.2
no patch supplied
* Cross-site request forgery (CSRF) in Press This leading to excessive use of server resources. Reported by Sipke Mellema.
4,2 - 4.7.2
https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829
-- System Information:
Debian Release: 9.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.9.0-2-amd64 (SMP w/6 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
More information about the Secure-testing-team
mailing list