Login
Newsletter
Werbung

Sicherheit: Mehrere Probleme in wordpress
Aktuelle Meldungen Distributionen
Name: Mehrere Probleme in wordpress
ID: DTSA-33-1
Distribution: Debian Testing
Plattformen: Debian testing
Datum: Mo, 12. Februar 2007, 22:40
Referenzen: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0262
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0539
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0541
Applikationen: wordpress

Originalnachricht

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Testing Security Advisory DTSA-33-1 February 12th, 2007
secure-testing-team@lists.alioth.debian.org Neil McGovern
http://secure-testing-master.debian.net/
- --------------------------------------------------------------------------

Package : wordpress
Vulnerability : multiple vulnerabilities
Problem-Scope : remote
Debian-specific: No
CVE ID : CVE-2007-0262 CVE-2007-0539 CVE-2007-0541

Various issues have been discovered in wordpress:

CVE-2007-0262
wordpress does not properly verify that the m parameter value has the string
data type, which allows remote attackers to obtain sensitive information via
an invalid m[] parameter, as demonstrated by obtaining the path, and
obtaining certain SQL information such as the table prefix.

CVE-2007-0539
WordPress before 2.1 allows remote attackers to cause a denial of service
(bandwidth or thread consumption) via pingback service calls with a source
URI that corresponds to a large file, which triggers a long download session
without a timeout constraint.

CVE-2007-0541
WordPress allows remote attackers to determine the existence of arbitrary
files, and possibly read portions of certain files, via pingback service
calls with a source URI that corresponds to a local pathname, which triggers
different fault codes for existing and non-existing files, and in certain
configurations causes a brief file excerpt to be published as a blog comment.

Please note that wordpress is not present in sarge.

For the testing distribution (etch) this is fixed in version
2.0.8-1

For the unstable distribution (sid) this is fixed in version
2.1.0-1

This upgrade is recommended if you use wordpress.

The Debian testing security team does not track security issues for the
stable (sarge) and oldstable (woody) distributions. If stable is vulnerable,
the Debian security team will make an announcement once a fix is ready.

Upgrade Instructions
- --------------------

To use the Debian testing security archive, add the following lines to
your /etc/apt/sources.list:

deb http://security.debian.org/ testing/updates main contrib non-free
deb-src http://security.debian.org/ testing/updates main contrib non-free

To install the update, run this command as root:

apt-get update && apt-get install wordpress

For further information about the Debian testing security team, please refer
to http://secure-testing-master.debian.net/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFF0Nl497LBwbNFvdMRAu1wAJ4n9ZOJPm2owDhrgxNp9T5Y7Yl0pwCghW2c
bsyjKiR6HEojDn8/TPj6Gv4=
=Xadk
-----END PGP SIGNATURE-----

_______________________________________________
secure-testing-announce mailing list
secure-testing-announce@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/secure-testing-announce
Pro-Linux
Traut euch!
Neue Nachrichten
Werbung